Privacy Policy
1. Introduction
Bjorn Interactive SAS ("we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Norlu mobile application (the "Application") and related services (collectively, the "Service").
This Privacy Policy applies to all users of the Service and should be read in conjunction with our Terms and Conditions of Use. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy.
If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
2. Data Controller and Contact Information
The data controller responsible for your personal data is:
Bjorn Interactive SAS
Registered Office: Rosheim, Alsace, France
SIREN: 100891522
Email: norlu@bjorninteractive.com
Privacy Contact: Amaury Dreher (legal@norlu.io)
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us using the information provided above.
3. Legal Basis for Processing (GDPR Compliance)
We process your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable French data protection laws. The legal bases for our processing activities are as follows:
3.1 Consent
We process certain categories of personal data based on your explicit consent, including: location data for map display and Spot discovery, camera access for photo capture and validation, and analytics cookies and non-essential tracking technologies.
You have the right to withdraw your consent at any time through the Application settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, but may limit your ability to use certain features of the Service.
3.2 Performance of Contract
Processing is necessary for the performance of our contract with you (the Terms and Conditions) for: account creation and authentication, providing core Service functionality (Spot collection, gamification, user profiles), processing Norlu+ subscription payments, and delivering customer support.
3.3 Legitimate Interests
We process personal data where necessary for our legitimate interests or those of third parties, provided these interests are not overridden by your fundamental rights and freedoms. These legitimate interests include: preventing fraud, cheating, and abuse of the Service through anti-cheat systems, improving and developing the Service through analytics and machine learning, ensuring security and integrity of our systems, managing business operations and internal administration, complying with legal obligations and responding to legal requests, and supporting sustainable tourism development and territorial economic growth through aggregated analytics shared with institutional partners.
3.4 Legal Obligation
We may process your personal data where necessary to comply with legal obligations to which we are subject, including tax and accounting requirements, responding to lawful requests from public authorities, and complying with applicable consumer protection laws.
4. Information We Collect
We collect several categories of information from and about users of our Service.
4.1 Information You Provide Directly
Account Information: When you create an account, we collect your email address, chosen username, authentication method (email/password, Google, or Apple), year of birth (used for age eligibility verification and aggregated demographic analysis) and profile information you choose to provide.
User Content: Photos you take and submit when collecting Spots, including associated metadata such as timestamp, device information, and GPS coordinates embedded in the photo file.
Communications: Information you provide when you contact our customer support, respond to surveys, or otherwise communicate with us.
Payment Information: If you subscribe to Norlu+, payment information is collected and processed by third-party payment platforms (Apple App Store or Google Play Store). We receive only confirmation of successful payment and subscription status; we do not directly collect or store your credit card or payment details.
4.2 Information Collected Automatically
Location Data: We collect precise geolocation data from your mobile device when you use the Service, including GPS coordinates, altitude, accuracy radius, and timestamp. This data collection is strictly episodic: GPS coordinates are only captured at the precise moment a user actively triggers a "Spot" validation (e.g., at the moment of taking a photo), and the Application does not continuously track or record the user's trajectory between Spots. This data is collected only when the Application is active and in use.
Usage Data: Information about your interactions with the Service, including Spots viewed and collected, points earned and spent, achievements unlocked, streak status, session duration and frequency, features accessed, and in-app navigation patterns.
Device Information: Technical information about your device, including device type and model, operating system and version, unique device identifiers (IDFA on iOS, Advertising ID on Android), mobile network information, IP address, browser type and version (if applicable), and screen resolution and device settings.
Log Data: Server logs that record technical information about your use of the Service, including access times, error messages, API requests, and crash reports.
4.3 Information from Third Parties
Authentication Providers: If you use Google Sign-In or Apple Sign-In, we receive basic profile information from these providers, including your name, email address, and profile picture (if you choose to share it). The information we receive is governed by the privacy policies of these third-party providers.
Analytics and Service Providers: We may receive aggregated, de-identified data from third-party analytics services that help us understand how users interact with our Service.
5. How We Use Your Information
We use the information we collect for the following purposes:
5.1 Providing and Operating the Service
Creating and managing your account; Verifying user age for service eligibility (age gating); Authenticating your identity and managing account security; Displaying nearby Spots on the interactive map; Validating your physical presence at Spots using GPS coordinates; Processing and verifying photos submitted for Spot collection; Calculating and awarding points, levels, and achievements; Tracking weekly streaks and applying multipliers; Providing Norlu+ subscription features; Enabling social sharing and community features; Delivering in-app notifications and communications; and Processing and fulfilling Partner Rewards.
5.2 Fraud Prevention and Security
Detecting and preventing GPS spoofing, location falsification, and other cheating methods; Identifying and blocking bots, automated scripts, and unauthorized access; Analyzing movement patterns for consistency with genuine human behavior; Verifying photo authenticity using metadata and image analysis; Monitoring for violations of our Terms and Conditions; Protecting against unauthorized access, data breaches, and security threats; and Investigating and responding to reports of abuse or suspicious activity.
5.3 Service Improvement and Analytics
Analyzing usage patterns to improve Service features and user experience; Conducting A/B testing and experiments to optimize functionality; Developing and training machine learning models for anti-cheat detection and photo validation (which analyze strictly telemetric and physical consistency data for fraud prevention and cybersecurity purposes, and never evaluate, infer, or predict a user's personality characteristics or general social behavior); Identifying and fixing bugs and technical issues; Measuring engagement, retention, and other performance metrics; Understanding which Spots are most popular and why; Informing product roadmap and feature development decisions; and Generating aggregated territorial analytics to support sustainable tourism development.
5.4 Communications
Sending transactional emails related to your account (e.g., password resets, subscription confirmations); Delivering push notifications about streaks, achievements, and new features (you can opt out in settings); Responding to your inquiries and support requests; Notifying you of changes to our Terms, Privacy Policy, or Service features; and Sending marketing communications if you have opted in (you can opt out at any time).
5.5 Legal and Compliance
Complying with legal obligations, including tax and accounting requirements; Responding to lawful requests from public authorities, law enforcement, or courts; Enforcing our Terms and Conditions and protecting our legal rights; Resolving disputes and preventing fraud or illegal activities; and Protecting the safety, security, and integrity of our Service, users, and third parties.
6. How We Share Your Information
We do not sell your personal data to third parties. We may share your information in the following limited circumstances:
6.1 Service Providers and Processors
We engage third-party service providers to perform functions on our behalf. These service providers have access to your personal data only to perform specific tasks and are obligated not to disclose or use it for any other purpose. Categories of service providers include:
Cloud Hosting and Infrastructure: Amazon Web Services (AWS) or Google Cloud Platform for hosting our servers and databases; Backend-as-a-Service: Firebase (Google) or Supabase for authentication, database, and cloud functions; Maps and Geolocation: Mapbox or Google Maps Platform for map display and geocoding services; Analytics and Monitoring: Google Analytics, Mixpanel, or similar services for usage analytics (anonymized where possible); Payment Processing: Apple App Store and Google Play Store for subscription billing; Email Communications: SendGrid, Mailgun, or similar services for transactional emails; Customer Support: Intercom, Zendesk, or similar platforms for support ticket management; and Crash Reporting: Sentry or Firebase Crashlytics for error monitoring and debugging.
All service providers are carefully selected and required to implement appropriate technical and organizational measures to protect your data in accordance with GDPR standards. We maintain data processing agreements with all processors handling personal data.
6.2 Public Tourism Organizations and Institutional Partners
Norlu partners with public tourism organizations to promote sustainable tourism development, combat overtourism, and support evidence-based territorial policies. As part of these partnerships, we share aggregated and anonymized analytics with tourism offices, departmental and regional tourism committees, and other public institutions responsible for territorial development.
The categories of institutions with whom we may share data include municipal and intercommunal tourism offices, departmental tourism committees, regional tourism committees, and national or regional agencies responsible for territorial economic development. This sharing is limited to territories where we have established formal partnership agreements.
The data shared with institutional partners consists exclusively of aggregated statistics that cannot identify individual users. This includes visitor flow statistics by site and time period, with data aggregated across minimum cohorts of ten users; heat maps showing geographic concentration of visits without individual trajectories; mobility indicators including the proportion of users employing sustainable transport modes; average visit durations and visitation patterns; conversion rates toward partner businesses presented as percentages without individual transaction data; and demographic trends at the aggregate level such as age ranges and geographic origins, with no individual profiles transmitted.
The purpose of this data sharing is to enable institutional partners to optimize tourist flow management and reduce pressure on saturated sites, measure the impact of territorial tourism policies and justify public investments, improve local tourism offerings based on real visitor behavior data, support evidence-based decision-making for sustainable tourism development, and fulfill our mission of promoting sustainable tourism and combating overtourism.
We implement strict technical safeguards to protect your privacy in this context. All data is aggregated with a minimum threshold of ten users per data point to prevent any possibility of re-identification. No individual raw data is ever transmitted to institutional partners. Access to analytics dashboards is restricted to authenticated users from partner organizations under strict confidentiality agreements. All data transmission follows GDPR-compliant security protocols. The aggregation and anonymization processes are designed to make re-identification technically impossible.
You retain control over your data participation. You may opt out of inclusion in these aggregated statistics through your privacy settings, although this may limit certain community features of the Service. Even if you opt out of analytics sharing, data essential to providing the core Service functionality will continue to be collected and processed as described elsewhere in this Privacy Policy. Your opt-out preference applies specifically to the inclusion of your data in reports and dashboards shared with institutional partners.
The legal basis for this processing is our legitimate interest in supporting sustainable tourism development and territorial economic growth, which is not overridden by your fundamental rights and freedoms given the strict anonymization measures in place. For users who have consented to analytics cookies, consent also covers this institutional data sharing.
6.3 Business Partners
We may share limited information with business partners who provide rewards and offers through our Partner Program. This sharing is limited to anonymized or aggregated data (e.g., number of users who viewed an offer) unless you explicitly consent to share identifying information when redeeming a reward.
6.4 Legal Requirements and Protection of Rights
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court, government agency, or law enforcement). We may also disclose your information when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a legal process.
6.5 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice in the Application of any such change in ownership or control of your personal data, and you will have the opportunity to delete your account if you do not wish your data to be transferred.
6.6 Aggregated and De-identified Data
We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may share statistics about Spot popularity, general usage trends, or regional engagement metrics with tourism offices or in public reports.
As described in Section 6.2 above, aggregated data shared with public tourism organizations is subject to the same strict anonymization standards. We may also use aggregated data in case studies, marketing materials, and public reports to demonstrate the effectiveness of the Service, provided that no individual users can be identified and, where applicable, specific partner territories are not identified without their explicit consent.
7. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) that may not offer the same level of data protection as your home country. Specifically:
Some of our service providers (e.g., cloud hosting, analytics) may operate servers or maintain facilities in the United States or other non-EEA countries. When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with service providers to ensure adequate protection of your data. Adequacy Decisions: We transfer data to countries that have been deemed by the European Commission to provide an adequate level of data protection. Privacy Shield (where applicable): For transfers to certified organizations under the EU-U.S. or Swiss-U.S. Privacy Shield frameworks (noting the framework's current legal status). Additional Safeguards: We conduct transfer impact assessments and implement supplementary technical and organizational measures where necessary.
You have the right to obtain information about the safeguards we have put in place for international transfers. Please contact us at legal@norlu.io for more information.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. Specific retention periods include:
9. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:
9.1 Right of Access
You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to request access to that data. This includes the right to receive a copy of your personal data undergoing processing.
9.2 Right to Rectification
You have the right to request correction of inaccurate personal data and to have incomplete personal data completed. You can update most of your account information directly through the Application settings.
9.3 Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal data under certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, you withdraw your consent (where processing is based on consent), you object to processing and there are no overriding legitimate grounds, the data has been unlawfully processed, or erasure is required to comply with a legal obligation.
Please note that we may retain certain information as required by law or for legitimate business purposes to the extent permitted by law. You can delete your account at any time through the Application settings.
9.4 Right to Restriction of Processing
You have the right to request restriction of processing of your personal data under certain circumstances, including when you contest the accuracy of the data, the processing is unlawful but you oppose erasure, we no longer need the data but you need it for legal claims, or you have objected to processing pending verification of legitimate grounds.
9.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where technically feasible. This right applies when processing is based on consent or contract and is carried out by automated means.
Please note that data portability applies to your personal data. It does not extend to aggregated analytics reports or dashboards generated for institutional partners, as these constitute derivative works owned by Bjorn Interactive SAS and no longer contain personally identifiable information.
9.6 Right to Object
You have the right to object to processing of your personal data where processing is based on legitimate interests. You can instantly exercise your absolute right to object to your data being processed for B2G territorial analytics by using the dedicated privacy toggle in your Application settings. We will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
You also have the absolute right to object to processing of your personal data for direct marketing purposes.
9.7 Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent for location services, push notifications, and analytics through the Application settings.
9.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.
For users in France, the competent supervisory authority is: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France, Website: www.cnil.fr
9.9 Right Related to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This applies to decisions such as permanent account bans resulting from our Anti-Cheat systems.
Where an automated decision is made, you have the right to request meaningful human intervention on our part, to express your point of view, and to contest the decision. To exercise this right, please contact us at legal@norlu.io
9.10 Exercising Your Rights
To exercise any of the rights described above, please contact us at legal@norlu.io or through the Application settings. We will respond to your request within one month, although this period may be extended by two additional months where necessary, taking into account the complexity and number of requests.
We may request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise your other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
10. Data Security
We implement appropriate technical and organizational security measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
Technical Measures:
Encryption of data in transit using TLS/SSL protocols; Encryption of sensitive data at rest (passwords, payment information); Secure password hashing using bcrypt or Argon2 with appropriate cost factors; Regular security assessments and penetration testing; Automated monitoring and intrusion detection systems; Secure software development practices and code review processes; Regular security updates and patch management; and Database access controls and query parameter sanitization.
Organizational Measures:
Limited access to personal data on a need-to-know basis; Employee training on data protection and security practices; Confidentiality agreements with employees and contractors; Data processing agreements with all third-party processors; Incident response and breach notification procedures; Regular backups and disaster recovery planning; Data protection impact assessments for high-risk processing activities; Strict access controls for institutional partner dashboards with multi-factor authentication; Confidentiality agreements and data processing agreements with all public tourism organizations receiving analytics; and Regular audits of data aggregation processes to verify anonymization effectiveness.
Despite these measures, no method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at support@norlu.io.
11. Children's Privacy
The Service is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 years of age. If you are under 13, please do not use the Service or provide any information through it.
If you are between 13 and 18 years of age (or the age of majority in your jurisdiction), you may only use the Service with the consent and supervision of a parent or legal guardian.
If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible. If you believe we might have information from or about a child under 13, please contact us at legal@norlu.io.
12. Cookies and Tracking Technologies
12.1 Types of Technologies We Use
The Service uses cookies and similar tracking technologies to collect and store information. These technologies include:
Cookies: Small text files stored on your device that help us recognize you and remember your preferences. Session Storage: Temporary storage that expires when you close the Application. Local Storage: Persistent storage for caching data and improving performance. Mobile Identifiers: Device identifiers such as IDFA (iOS) or Advertising ID (Android) for analytics and attribution. SDKs: Software development kits from third-party services that may collect usage data.
12.2 Categories of Cookies
Essential Cookies: Necessary for the Service to function properly. These cookies enable core functionality such as security, authentication, and session management. You cannot opt out of essential cookies.
Analytics Cookies: Help us understand how users interact with the Service by collecting information about pages visited, time spent, and other usage metrics. We use services such as Google Analytics and Mixpanel for this purpose.
Performance Cookies: Allow us to monitor and improve the performance of the Service, including loading times, crash reporting, and error tracking.
Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences and settings.
12.3 Managing Cookies and Tracking
You can manage your cookie preferences through the Application settings. Please note that disabling certain cookies may limit your ability to use some features of the Service.
For mobile advertising identifiers: iOS users can limit ad tracking or reset their advertising identifier through Settings > Privacy > Advertising. Android users can opt out of personalized ads or reset their advertising ID through Settings > Google > Ads.
13. Third-Party Links and Services
The Service may contain links to third-party websites, applications, or services that are not owned or controlled by us, including Partner websites and social media platforms. This Privacy Policy applies only to information collected by our Service.
We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party sites or services before providing them with your personal information.
When you use third-party authentication (Google Sign-In or Apple Sign-In), you are also subject to those providers' privacy policies and terms of service.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will notify you by:
Sending an email to the email address associated with your account; Displaying a prominent notice within the Application; and Updating the "Effective Date" at the beginning of this Privacy Policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after we publish or send notice of changes to this Privacy Policy means that you consent to the updated Privacy Policy.
If you do not agree with the changes to the Privacy Policy, you must stop using the Service and may delete your account in accordance with our Terms and Conditions.
15. Additional Rights for California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected the information, the business or commercial purposes for collecting the information, and the categories of third parties with whom we share personal information.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out of Sale: We do not sell your personal information as defined under the CCPA.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To exercise these rights, please contact us at legal@norlu.io or through the Application settings. We will verify your identity before processing your request.
16. Contact Information
If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:
Bjorn Interactive SAS
Registered Office: Rosheim, Alsace, France
Email: norlu@bjorninteractive.com
Privacy Contact: Amaury Dreher (legal@norlu.io)
Support: support@norlu.io
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to lodge a complaint with the data protection authority in your jurisdiction.
———
END OF PRIVACY POLICY