Privacy Policy — ActiveScanning v0.3 (English)

Last updated: 6 July 2026
Version: 0.3 (anchor phase + Beta 1; v0.3 approved 2026-07-06: new § 3.5 Beta 1/team module/feedback, updated contact info)
Language note: The Norwegian version above is the authoritative version. This English translation is provided for convenience.


ActiveScanning is a training diary for football players. We take privacy seriously — especially because many of our users are minors. This policy explains what we store, why, and what rights you have.

If you are reading this as a guardian of a player, your role is important: you provide the legal basis for processing the child's data.


1. Who we are

Data controller: Edda AS
Organization number: 945 211 512 (business address: see the Norwegian Register of Business Enterprises)
Email: support@activescanning.com · privacy questions: personvern@trainingdiary.com

Edda AS is responsible for all personal data processed through ActiveScanning.


1.5 Who can use the service — minimum age

In the anchor phase (Sprint 3-5, 2026):
The service is open only to players aged 13 and over. The anchor phase is a controlled test phase with manual reading of submissions and a limited user count, and we require the level of self-reflection associated with at least 13 years of age.

In the rollout phase (Sprint 5 onwards):
The service will be open to players aged 8 and over, under the age-stratified rules described in sections 4.6 and 4.7. Players aged 8-12 must use the service with guardian involvement.

Absolute minimum age:
ActiveScanning will not at any time be available to users under the age of 8. Scanning, as measured by ActiveScanning, is not meaningfully developed before approximately 13 years of age (Aksum et al., 2021; Memmert, 2007), and younger children should focus on deliberate play, not data logging. A separate "Kids variant" of the service is under consideration for post-launch development, but is not part of the current product.


2. What we store

In the anchor phase (Sprint 3) we store:

We do NOT store:


3. Why we process the data (legal basis)

For players under 15: Processing is based on parental consent (GDPR Art. 6(1)(a) + Art. 8 and Norwegian Personal Data Act § 5). The guardian has given informed consent for the child to use the service. Although Norwegian law permits digital consent from age 13, ActiveScanning requires parental consent for all players under 15. This provides additional protection for the youngest users during a phase where we are still developing and verifying the service.

For players 15 and over: Processing is based on the player's own consent.

The purpose of the processing is:

  1. To give the player an overview of their match performances over time
  2. To generate personalized reports (PDF) sent to the player
  3. To help the player understand their development
  4. To produce anonymous aggregated statistics (for example "U15 players in Norway scanned on average X times per match in 2027") that give all users better comparative benchmarks

We do NOT use the data for:


3.5 Beta 1, the team module, and feedback (added in v0.3, July 2026)

Beta 1 participation: For invited beta participants we process name, email, birth year, and the player's self-logged match data (involvements, scans, minutes, score) on the basis of consent (Art. 6(1)(a)); for children under 15, the guardian's written consent is obtained (Norwegian Personal Data Act § 5). Free-text, emotion, and health fields are disabled in the beta. Data is stored in Norway/EEA (Microsoft Azure/Dataverse) and deleted within 30 days after withdrawn consent or the end of the beta.

Team administration (the team module): For teams using the team module we additionally process team membership (name, shirt number, role), invitations and attendance responses with an optional free-text note (the app never asks for health information), carpool coordination (meeting points only — home addresses are rejected by the app), the guardian's email address for notifications, and the coach's match log (minutes, goals, score per player). Basis: consent (Art. 6(1)(a)) as part of beta participation; the coach's access is limited to their own team. Same retention and deletion rules as above.

Feedback (the bug/suggestion button): Our pages have a button where anyone can report a bug or suggest an improvement. We then process your email address, your message (max 2000 characters), and which page you were on — so we can read, reply, and fix. The basis is legitimate interest (Art. 6(1)(f)): you contact us, and we need to be able to answer you. You receive a confirmation copy by email. The message is deleted no later than 90 days after the case is closed. Write to personvern@trainingdiary.com if you want it deleted sooner.


4. Who has access

Us (Edda AS): Edda AS personnel have access according to their work tasks. In the anchor phase (2026), Mats Anda is the only person with access. As the team expands, all future employees and contractors will sign a non-disclosure agreement (NDA) and complete GDPR training before being granted access to personal data. Access level is tailored to role (principle of least privilege).

Third-party services we use (data processors):

We do NOT share data with coaches, clubs, football associations, or anyone else without explicit new consent.


4.5 Free text, AI use, and guardian access to free text

Match Report contains a free-text field where the player can write their own notes about the match — how they felt, what went well, what was difficult.

What AI does with this (when AI features are activated, earliest Sprint 6):
AI reads the notes to find patterns over time (for example: is the player often tired on Fridays? Does the injury history from the left knee show a pattern?). AI provides feedback as guidance on training and recovery, never as a diagnosis.

What AI does NOT do — the classifier-first principle:
Every free-text submission passes through an automatic classifier BEFORE AI sees it. If the classifier identifies sensitive content — violence, abuse, self-harm, serious mental health issues, or topics outside our competence — AI does not process the text. AI never sees it. The player instead receives a quiet, non-alarming message in the app pointing to:

Sensitive free text is also not stored in plain searchable form. It remains in the player's own record, but no other system component reads it.

This is a deliberate design decision: we are a training diary, not a crisis service. Professionals should help — we point the user there.

Guardian access to free text:
Guardians do NOT have access to read the player's free-text notes. This applies at all ages where free text is collected. The player's reflections are private to the player. The reasoning: if guardians could read free text, the player would stop writing honestly, and the reflection feature would lose its value as a development tool. Guardian access to other data (aggregate statistics, achievements, consent status) is described in section 4.6.

The exception is the classifier signal. When the classifier flags sensitive content, the guardian receives a notification — but not the text itself. The notification reads, in summary: "ActiveScanning has given [player name] contact information for a support service based on something they wrote. We recommend that you check in with [name]." The guardian sees that the system has reached out to the child, never what the child wrote.

In the anchor phase (2026):
AI does NOT read free text at all. Mats Anda reads every submitted report manually as part of quality verification of the service. This means free text is read by one human (Mats) in the anchor phase, governed by the team-access policy in section 4. When AI features are introduced (earliest Sprint 6), the classifier described above must be implemented and tested before AI is given access to free text. Anchor-phase players and their guardians are informed of this in the onboarding consent flow.

Notification duties to public authorities:
If Edda AS becomes aware of serious matters — through Mats Anda's manual reading in the anchor phase, the classifier's signal in later phases, or direct contact from a player or guardian — we have, as private individuals and as a business, a duty to notify child protective services or the police in accordance with Norwegian law (Penal Code § 196, Child Welfare Act § 13-2). This duty overrides the standard rule that guardians do not see the content of free text — but in such cases, the recipient is the public authority, not the guardian directly. We will inform the guardian after the report is filed, unless doing so would put the child at greater risk.


4.6 Guardian access to other data — age-stratified

Guardian access to data other than free text varies by player age. The principle: as the player grows older, the player's autonomy grows, and the guardian's automatic access shrinks. Free text is private at all ages (see section 4.5).

Anchor-phase note: In the anchor phase (2026, Sprint 3-5) only players aged 13 and over are active users. The age groups below describe the policy for all future phases, including the rollout phase from Sprint 5 onwards.

Ages 8-12 (future rollout phase only, not active in anchor):
The guardian is the primary account owner. The player logs matches with the guardian's involvement or after explicit per-session permission.
The guardian sees: number of matches logged, streaks, achievements, consent status.
The guardian does NOT see: free text (see 4.5), individual match-report statistics, scanning-frequency raw data.
Match Reports are delivered to the player's email (or the guardian's email if the player does not have their own).
The player is shown as an anonymous code in any external lists.

Ages 13-15:
The player logs matches independently. Guardian consent is still required (see section 3 — this is stricter than the legal minimum of 13).
The guardian sees: aggregate dashboard (matches, streaks, achievements), consent status.
The guardian does NOT see: free text (see 4.5), raw statistics.
Match Reports are delivered to the player's email. The guardian may opt-in to receive a copy.

Ages 16-17:
The player owns the account fully. Guardian consent is no longer legally required.
Guardian access is now OPT-IN from the player (default: no access beyond contact information).
Match Reports are delivered only to the player's email.
The player may choose to share aggregate views with the guardian, in which case the guardian receives an invitation and can accept.

Ages 18 and over:
Full autonomy. The guardian relationship does not exist in the data model unless the user explicitly opts in (rare, but possible — for example, for players who request continued family involvement for personal or sporting reasons, such as parents who travel with the player to academies or international competitions).

Server-side enforcement:
Guardian access rules are enforced server-side, not only in the user interface. No backend endpoint returns data to a guardian token that the guardian is not entitled to see at the player's current age. When the player crosses an age boundary (13, 16, 18), access rules adjust automatically.


4.7 Account ownership transfer at age 16

When the player turns 16, full ownership of the account transfers from the guardian-supported model (ages 13-15) to the player-owned model (ages 16-17). The transfer is automatic, time-bounded, and protected against misuse in both directions.

Thirty days before the player's 16th birthday:
Both the player and the guardian receive a notification: "On [date], [player name] takes over ownership of the account. From that point, [player name] decides what you as a guardian can see. You can prepare for this by discussing what aggregate information [player name] is willing to continue sharing."

On the player's 16th birthday (or first login after):
The player is presented with a "Take ownership" flow:

After transfer:
The guardian receives an email: "[Player name] has taken over the account. You now see [what the player chose to share]. If you believe the transfer was made without [player name]'s free will (suspicion of pressure, forgotten password, or other concern), please contact support within 14 days."

Cooldown period of 14 days:
During the cooldown, the guardian may escalate to ActiveScanning support if they suspect the transfer is irregular. If escalation occurs, the account is frozen for human review (not automatically reversed). The decision after review may be: restore guardian access, confirm the transfer, or take other appropriate action.

After cooldown:
Full ownership is final. Guardian access is removed unless the player has actively granted new opt-in access during or after the transfer flow.

Removing guardian access at any time (from age 16):
The player may remove guardian access from the dashboard at any time. The action requires two-step confirmation (password plus email verification). The guardian receives a notification with a seven-day protest window, during which the guardian may contact support only — not invoke legal recourse through the app.

Emergency removal of guardian access (for ages 13 and over):
Where the player is in danger from the guardian — for example, in cases of violence or abuse in the home — a separate "emergency removal" function is available. This function:

The emergency removal function will not be implemented until consultation with a relevant professional (child welfare or child psychology) is completed. Until then, the function is described in this policy but not active in the product. Players who need to escape a harmful guardian situation in the anchor phase should contact ActiveScanning support directly at support@activescanning.com or, for immediate safety, contact Children's Helpline at 116 111.


5. How long we store

User data: Indefinitely, for as long as the user wishes. The data belongs to the user, and we will never lock historical data behind a paywall.

You can request deletion at any time. See section 7.

Anonymous aggregated statistics: Once the user base is large enough (typically from Sprint 5 onwards), we produce yearly aggregated statistics per age group, position, and gender. These aggregates contain no personal data and cannot be traced back to individual players. They survive individual deletion because they are no longer personal data in a legal sense.

What does this mean for you? If you request deletion before a year-end, everything is deleted — including your share of upcoming aggregates. If you request deletion after a year-end where you contributed, all your personal data is deleted, but your anonymous contribution to the aggregated number remains (since it can no longer be linked to you).

In the anchor phase (2026) the user base is too small for aggregation to be anonymous, so no aggregates are produced yet.

Generated PDF — your copy: Every PDF generated is sent to your email address and remains in your email archive for as long as you wish. From Sprint 4 onwards, you will also be able to download previous reports directly in the app.

Email logs: Deleted after 30 days.

PDFs during generation: Gotenberg builds the PDF transiently in memory and never writes it to disk or blob. It is returned to us within seconds and no longer exists at the generation service afterwards.

Backup data: Dataverse backups are retained for 7 days by Microsoft and then automatically deleted.


6. Future of the service and funding

ActiveScanning is free today and is intended to remain free for core functionality — logging matches and receiving your own reports. Operations are funded by Edda AS in the anchor phase.

Future funding may include:

We will never:

If paid features are introduced: All historical data will remain freely available to the user. Existing users will be notified at least 6 months in advance of significant changes.


7. Your rights

You (or a guardian on behalf of a child under 15) have the right to:

To exercise these rights, send an email to personvern@trainingdiary.com (or support@activescanning.com).

In the anchor phase, all requests are handled manually within 7 days. When automated tools are in place (Sprint 4 and later), you will be able to exercise rights directly in the app.


8. Right to complain

If you believe we are processing your data unlawfully, you can complain to Datatilsynet (the Norwegian Data Protection Authority):


9. Changes to this policy

This policy is version 0.3 (anchor phase + Beta 1; v0.1 May 2026, v0.1.3 June 2026, v0.3 July 2026 — new § 3.5 and updated contact info). A public version (v1) will be issued before external wide registration. Version history is stored in our public code base.

Substantial changes (new data categories, new data processors, changed purpose) will be communicated by email to all active users at least 30 days before they take effect.


End of document.