Involve by INVI App

Privacy policy

Privacy Policy for Involve by INVI App
Involve (hereinafter referred to as "the Service") is a mobile and web-based service published by the Institute for wicked (hereinafter referred to as "INVI"). At INVI, data protection and confidentiality are a high priority. This privacy policy explains what personal data we collect from you when you use our service and how we process it. The privacy policy has been drawn up in accordance with the EU's General Data Protection Regulation (GDPR).


Contact information: Data controller
INVI - Institute for wicked
CVR no. 44166542
Snaregade 10B, 1208 Copenhagen K
Email: developer@invi.nu
Telephone: +45 53612583


What data do we process, why, and how?
The service collects and processes data when you:


a) Register as a user of the service
b) Respond to questionnaires via the service


When you register, your username, password, and email address are saved.

When you use the service, the following data may be collected:

  • Audio recordings submitted in response to a survey question

  • Text responses submitted in response to a survey question

  • Images submitted in response to a survey question

  • Annotations (categories) that you choose to tag your answers with

  • Current geolocation (only when submitting a response and only with your permission)

The geolocation feature is designed so that you are always asked for permission, and the service only collects location data at the moment you submit a response.


Legal basis for processing general personal data
We process your personal data on the following basis 

  • Registration and account data: Processed based on our legitimate interest in managing user access and ensuring a well-functioning service (GDPR Art. 6(1)(f)), balanced against your rights. We have conducted a balancing of interests to ensure that our interests do not override your fundamental rights and freedoms.

  • Questionnaire responses (text, image, audio, location): Processed on the basis of your consent (GDPR Art. 6(1)(a)). You can withdraw your consent at any time by writing to us at developer@invi.nu.

  • Transcription of audio recordings of your responses: Processed on the basis of your consent (GDPR Art. 6(1)(a))
    Service improvement (aggregated statistics): Processed on the basis of our legitimate interest (GDPR Art. 6(1)(f)), always balanced against your rights and freedoms.


Sensitive personal data (special categories, GDPR Art. 9)
The service does not require you to submit sensitive information (e.g., health data, political opinions, religious beliefs, or trade union membership). If you voluntarily share such information, it will only be processed with your active consent (GDPR Art. 9(2)(a)).

INVI follows the principle of data minimization:

  • We do not analyze or store sensitive data beyond what is necessary.

  • Where possible, data is anonymized early in the process.

  • Data is never published in an identifiable form.


Children's personal data
The service is not intended for children under the age of 15. We do not knowingly process personal data about children under the age of 15 without the consent of their parents or guardians. If we become aware that such data has been collected, it will be deleted immediately.

We have assessed that children aged 15 and above are capable of consenting to the use of the service.


How do we use your data?
Data is used by INVI's analytics team to:

  • Register as a user

  • Analyze your responses to questionnaires

  • Stay informed about developments in projects you are involved in.

Cloud storage and processing via third parties
The service uses DigitalOcean for operation and hosting as well as for data storage. We use Microsoft Azure for data processing. All servers are located in the EU. These data processors only process data on our behalf and according to our instructions. Data is encrypted during both transfer and storage, and access is automatically logged and restricted to authorized employees. INVI has entered into a data processing agreement with Microsoft and DigitalOcean in accordance with GDPR Art. 28.

When collecting audio data, we use Microsoft Azure for transcription. We also use large language models hosted in Microsoft Azure to embed and analyze data. All data processing takes place within the EU, in full compliance with the GDPR's data locality requirements. Azure acts solely as a data processor and does not access or use the content of the data for any other purpose.

Furthermore, personal data will not be shared with third parties without explicit and separate consent. No personally identifiable data will be published in research, reports, or external communications.


Data storage
All data is stored on servers within the EU, in accordance with GDPR.
Data is stored on encrypted disks and sent via SSL/HTTPS. Access is restricted to authorized personnel. No data is transferred to countries outside the EU/EEA.


Deletion of data

  • Account data (username, password, and email) will be deleted 6 months after the project's completion.

  • Raw audio files are only stored until transcription is complete and quality assured – for a maximum of 6 months from the completion of data collection.

  • Questionnaire responses (text, images, annotations, location) are stored in identifiable form for a maximum of six months after the end of the project.

  • All personal information is then anonymized. The anonymized data may be retained indefinitely for research and reporting purposes, but never in a form that can identify you.


Your rights
You have the following rights under the GDPR:

  • Access: You may request access to the information we process about you.

  • Correction: You can request that incorrect information be corrected.

  • Deletion: You may request that your data be deleted under certain conditions.

  • Restriction: You may request restriction of processing.

  • Objection: You may object to the processing.

  • Data portability: You can request that your data be disclosed or transferred.

  • Withdrawal of consent: You may withdraw your consent at any time.

  • Complaint: You can lodge a complaint with the relevant supervisory authority.

If you wish to exercise your rights, please contact us at developer@invi.nu. We will endeavor to respond within one month.


Supervisory authority
You have the right to lodge a complaint with the Danish Data Protection Agency. You can do so at:

Danish Data Protection Agency
Carl Jacobsens Vej 35, 2500 Valby
Telephone: +45 33 19 32 00
Email: dt@datatilsynet.dk

You are also welcome to contact us first if you believe that we have processed your data incorrectly – we will do our best to resolve the issue.


Changes to the privacy policy
INVI keeps its privacy policy up to date and publishes changes on this page. This privacy policy was last updated on December 4, 2025.