Home » App Privacy Policy

Belay AI – App Privacy Policy

Effective Date: September 9, 2025
Last Updated: September 9, 2025

This Privacy Policy explains how Belay AI AS, a Norwegian company headquartered in Oslo (“Belay AI”, “we”, “us”), collects, uses, stores, and protects your personal data when you use the Belay AI Wall web application (the “App”).

1. Who We Are

Belay AI AS is the data controller for personal data processed through the Belay AI Wall App. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR).

The App can be used by people of all ages. However, under the GDPR, parental consent is required for users under the age of 13 in Norway (or the applicable minimum age in your country of residence). If we become aware that we have collected personal data from a child without the required parental consent, we will delete it promptly.

Contact:
Belay AI AS
Oslo, Norway
Company Registration Number: 932 740 575
Email: privacy@belay.ai

2. What Personal Data We Collect

When you use the App, cameras are only activated when you scan a QR code and start a session. If you do not activate a session through the App interface, no video will be recorded.

We collect and process the following types of personal data when you use the App:

• Session Video Data: Recordings of your climbing sessions, including your face and other identifiable features, captured when you activate a camera at the climbing center.
• Motion Analytics: Data generated from video analysis to provide climbing performance feedback.
• QR Code Metadata: Used to verify your presence at a climbing route and to link your session to your account. 
• Location Data: GPS or other users’ location data available. Camera activation is only possible when you are physically at the climbing center and on the relevant climbing route.
• Account Data: Your email address, used for authentication, session linking, and account management.
• Device and Access Information: Browser type, IP address, timestamps, and usage logs (for security monitoring and service performance).

We do not use video recordings for biometric identification (e.g., face recognition for identity verification).

3. How We Use Your Data

We process your data for the following purposes:

• Core Services: To provide you with video playback and movement analytics of your climbing sessions.
• Account Management: To allow you to access, review, and manage your own climbing sessions via your registered account.
• Communication: To contact you regarding your account, service updates, or security notifications. We will not send you marketing communications without your explicit consent.
• System Performance & Security: To maintain, monitor, and improve the stability, usability, and security of the App, including fraud prevention and unauthorized access detection.
• Compliance: To comply with legal and regulatory obligations applicable to our operations.
• Service Improvement: With your explicit consent, we may use anonymized or aggregated data from climbing sessions to improve our analytics models and service features.

4. Legal Basis for Processing

We rely on the following legal bases under the GDPR:

• Consent (Article 6(1)(a)): For the capture and analysis of video recordings, obtained when you activate a camera session via QR code. You may withdraw your consent at any time through the App by deleting your sessions.
• Contract (Article 6(1)(b)): When processing is necessary to deliver the services you request, including account management, video playback, and climbing analytics.
• Legitimate Interests (Article 6(1)(f)): For ensuring the security, performance, and proper functioning of the App. We have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms.
• Legal Obligations (Article 6(1)(c)): When processing is required to comply with applicable legal or regulatory requirements (e.g., data protection, consumer protection).

5. Data Storage and Retention

• Storage Location: All personal data is stored on encrypted servers within the European Economic Area (EEA).
• Videos: Stored until you delete them via the App. If you choose not to delete your videos, we will retain them to provide you with ongoing access. Deleted videos are also removed from system backups within 30 days.
• Metadata and Analytics: Session metadata (such as timestamps and QR code linkage) is retained for up to 90 days to ensure service performance and troubleshooting. After this period, metadata is either deleted or anonymized so that it can no longer be linked to an individual user. Aggregated, anonymized analytics may be retained beyond this period to help us improve our services.
• Device and Access Logs: Device and access logs (including IP address, browser type, timestamps, and login attempts) are retained for up to 90 days for security monitoring and system troubleshooting. After this period, logs are either deleted or anonymized so that they cannot be linked to an individual user.

You may delete your video sessions at any time via the App interface.

6. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (“right to be forgotten”).
• Restriction & Objection: Limit or object to how we process your data, including for security or analytics purposes.
• Data Portability: Receive your personal data in a structured, machine-readable format and transmit it to another controller.
• Withdraw Consent: Withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

You can exercise these rights by contacting us at privacy@belay.ai. We may need to verify your identity before processing your request. We will respond within one month, in accordance with GDPR.

If you believe your rights have been violated, you also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or with your local supervisory authority.

7. Data Sharing and Subprocessors

We do not sell or share your personal data for commercial purposes.

We use trusted third-party subprocessors to help us provide the App (for example, cloud hosting providers, video processing services, or email delivery tools). All subprocessors are contractually required to meet GDPR standards.

Currently, our primary subprocessor is Amazon Web Services (AWS), which provides cloud hosting and cloud processing within the EEA.

A complete and up-to-date list of subprocessors can be provided upon request by contacting us at privacy@belay.ai.

To request a list of our current subprocessors, please contact us at privacy@belay.ai with the subject line: “Request for Subprocessor List – Belay AI Wall”

8. Data Security

We implement robust technical and organizational measures to protect your personal data, including:

• Encryption: All data is encrypted in transit and at rest.
• Access Controls: Access to personal data is limited to authorized staff on a need-to-know basis, using role-based access control.
• Monitoring: Internal logging and anomaly detection are used to identify potential security issues.
• Reviews: Regular security reviews, updates, and patching of our systems and infrastructure.
• Trusted Providers: Our hosting providers maintain industry security certifications (such as ISO 27001 and SOC 2).
• Incident Response: In the unlikely event of a data breach, we will take immediate action and notify affected users and authorities in accordance with GDPR requirements.

9. International Transfers

We store and process your personal data within the European Economic Area (EEA).

If our subprocessors are headquartered outside the EEA (for example, cloud service providers), personal data may be accessible from outside the EEA. In such cases, we ensure that appropriate safeguards are in place, such as:

• Adequacy Decisions issued by the European Commission (where applicable), or
• Standard Contractual Clauses (SCCs) approved by the European Commission.

These safeguards ensure that your personal data receives a level of protection essentially equivalent to that guaranteed within the EEA.

10. Cookies

The App uses essential cookies that are necessary for core functions such as login sessions and account management. We may also use cookies or similar technologies for service analytics to help us understand usage patterns and improve the App.

You can manage or disable cookies in your browser settings. However, please note that some features of the App may not function properly without essential cookies

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or business practices.

• Notification: If we make material changes that affect your rights or how we process your personal data, we will notify you through the App (and by email if appropriate) before the changes take effect.
• Effective Date: The date of the latest update will always be displayed at the top of this Privacy Policy.
• Your Choices: If you do not agree with the updated policy, you may stop using the App and request deletion of your personal data. Where processing is based on consent, you will be able to withdraw that consent at any time.