Privacy Policy for Nitteberg AS

Last updated: 12 August 2025

  • Introduction and scope
  • Legal basis and purpose
  • Categories of personal data
  • Data sources and collection methods
  • Disclosure to third parties
  • International data transfers
  • Your rights as a data subject
  • Technical and organizational
    security measures
  • Cookies and tracking
  • Data storage and retention periods
  • Data breaches and notification
    procedures
  • Children's privacy
  • International users -
    special provisions
  • International users –
    specific provisions
  • Contact information for
    privacy inquiries
  • Changes to the privacy policy

Privacy Policy for Nitteberg AS

Data Controller: Nitteberg AS Organization number: 931309862 Address: Gardermovegen 128, Nannestad Email: personvern@nitteberg.as Phone: 959 41 166 Website: nitteberg.as

Last updated: 12.08.2025

Introduction and scope

This privacy policy describes how Nitteberg AS (“we”, “us”, “the company”) processes personal data in connection with the operation of the online store nitteberg.as and related services.

We are the data controller for the personal data processed under this statement and are committed to protecting your privacy in accordance with:

  • EU General Data Protection Regulation (GDPR) (Regulation 2016/679)
  • Norwegian Privacy Law (LOV-2018-06-15-38)
  • The E-commerce Act (LOV-2003-05-23-35)
  • The Marketing Act (LOV-2009-01-09-2)
  • Other relevant national and international privacy regulations

The privacy policy applies to all users of our services, regardless of geographic location, with specific provisions for EU/EEA citizens and other international users.

2. Legal basis and purpose

2.1 Performance of a contract (GDPR Art. 6(1)(b))

Purpose: Execution and fulfillment of purchase agreements

Processed data:

  • Identity information (name, date of birth)
  • Contact information (address, phone number, email)
  • Delivery information (delivery address, special instructions)
  • Payment information (billing address, payment method references)
  • Transaction information (order number, purchase history, amount)

Retention period: 5 years after the last transaction in accordance with the Accounting Act and complaint deadlines

2.2 Legal obligation (GDPR Art. 6(1)(c))

Purpose: Fulfillment of legal obligations

Processed data:

  • Accounting information (billing data, VAT basis)
  • Transaction logs (for anti-money laundering and tax purposes)
  • Complaint and warranty documentation

Retention period: In accordance with applicable legislation (usually 5–10 years)

Relevant laws:

  • The Accounting Act
  • The Tax Act
  • The Anti-Money Laundering Act
  • The Consumer Purchase Act

2.3 Legitimate interest (GDPR Art. 6(1)(f))

Purpose: Business operations, security, and business development

Processed data:

  • Website access data (IP address, user agent, timestamps)
  • Communication information (customer service correspondence)
  • Technical logs (error messages, performance data)
  • Market analysis data (aggregated user statistics)

Legitimate interest assessment: Our legitimate interests in efficient operations, security, and business development outweigh privacy concerns, given the implemented protective measures.

Retention period: 2 years for technical logs, 3 years for customer service correspondence

2.4 Consent (GDPR Art. 6(1)(a))

Purpose: Marketing and communication

Processed data:

  • Email address for newsletter
  • Communication preferences
  • Marketing segmentation data

Consent management: Consent is obtained through an explicit opt-in mechanism with the option for easy withdrawal.

Retention period: Until consent is withdrawn or 3 years without interaction

3. Categories of personal data

3.1 Identity information

  • Direct identifiers: Name, date of birth
  • Indirect identifiers: Customer number, user ID
  • Legal basis for processing: Performance of contract
  • Retention period: 5 years after last transaction

3.2 Contact information

  • Physical address: Residential address, delivery address, billing address
  • Electronic contact: Email address, phone number
  • Legal basis for processing: Performance of contract, legitimate interest
  • Retention period: 5 years after last transaction

3.3 Financial information

  • Payment data: Payment method references (not full card numbers)
  • Transaction information: Purchase history, invoice data, refunds
  • Legal basis for processing: Performance of contract, legal obligation
  • Retention period: 5 years in accordance with the Accounting Act

3.4 Technical information

  • Network data: IP address, MAC address (where available)
  • Device data: User agent, screen resolution, operating system
  • Behavioral data: Pages visited, click paths, session duration
  • Legal basis for processing: Legitimate interest, consent (for cookies)
  • Retention period: 13 months for web analytics, 2 years for security logs

3.5 Communication information

  • Customer service: Email correspondence, phone calls (when recorded)
  • Complaint data: Complaint cases, return information
  • Legal basis for processing: Performance of contract, legitimate interest
  • Retention period: 3 years after last communication

4. Data sources and collection methods

4.1 Direct collection from you

  • Account registration: Voluntary creation of a user account
  • Order process: Necessary information for completing purchases
  • Customer service: Inquiries via email, phone, or chat
  • Newsletter registration: Explicit consent-based subscription

4.2 Automatic collection

  • Cookies and similar technologies: See our cookie policy
  • Server logs: Automatic recording of website access
  • Error reporting: Technical errors and performance data

4.3 Third-party sources

  • Payment providers: Vipps AS and Stripe Inc. for payment validation
  • Shipping providers: PostNord, Bring, DHL for delivery confirmation
  • Credit check: For invoice orders (with consent)

5. Disclosure to third parties

5.1 Data processors (GDPR Art. 28)

Payment providers:

  • Vipps AS (Norway): Processes payment data for Norwegian customers
  • Stripe Inc. (USA/Ireland): Processes payment data for international customers
  • Data processing agreements: Concluded in accordance with GDPR Art. 28
  • Transfer basis: Adequacy decision (for EU entities), Standard Contractual Clauses

IT service providers:

  • Hosting: WPX – Server hosting and infrastructure
  • Email: Domeneshop – Email delivery and communication
  • Analytics: Google Analytics (anonymized) – Website analytics
  • Support: Domeneshop – Customer service platform

Logistics partners:

  • Proteria AS

5.2 Authorities and public bodies

Personal data may be disclosed to authorities when required by law, including:

  • Tax authorities: Transaction information for tax and VAT purposes
  • Police authorities: Upon a final decision or arrest
  • Financial Supervisory Authority: In cases of suspected money laundering or terrorist financing
  • Customs and excise authorities: For international shipments

5.3 Business transfers

In the event of a merger, acquisition, or business transfer, personal data may be transferred to a new owner subject to:

  • Prior notice to data subjects
  • Maintenance of the same level of privacy protection
  • Possibility to have data deleted upon objection

6. International data transfers

6.1 Transfers to third countries

USA (Stripe Inc.):

  • Transfer basis: EU–US Data Privacy Framework (adequacy decision)
  • Additional protection: Standard Contractual Clauses as fallback
  • Purpose: Payment processing for international customers

Other third countries:

  • Transfers only occur under an adequacy decision or with appropriate safeguards
  • Standard Contractual Clauses (SCCs) are implemented where necessary
  • Transfer Impact Assessments are carried out for high-risk transfers

6.2 EEA/EU transfers

Transfers within the EEA/EU take place freely in accordance with the GDPR without additional safeguards.

7. Your rights as a data subject

7.1 Right to Information (GDPR Art. 13-14)

You have the right to receive information about the processing of your personal data, as provided in this Privacy Policy.

7.2 Right of Access (GDPR Art. 15)

You may request access to all personal data we process about you, including:

  • Categories of personal data
  • Purposes of processing
  • Recipients of the data
  • Retention periods
  • Origin of the data

Procedure: Send a written request to personvern@nitteberg.as with valid identification.

7.3 Right to Rectification (GDPR Art. 16)

You may request correction of inaccurate or completion of incomplete personal data.

7.4 Right to Erasure (“Right to be Forgotten”) (GDPR Art. 17)

You may request the deletion of personal data when:

  • The data is no longer necessary for the original purpose
  • You withdraw consent and no other legal basis exists
  • The data has been processed unlawfully
  • Deletion is required to comply with a legal obligation

Limitations: Deletion may be refused where processing is necessary for:

  • Compliance with a legal obligation
  • Establishment, exercise, or defence of legal claims
  • Performance of a task carried out in the public interest

7.5 Right to Restrict Processing (GDPR Art. 18)

You may request the restriction of processing when:

  • You contest the accuracy of the personal data
  • The processing is unlawful but you oppose deletion
  • You need the data for legal claims even though we no longer need it
  • You have objected to processing based on legitimate interest

7.6 Right to Data Portability (GDPR Art. 20)

For data processed on the basis of consent or contract, you have the right to:

  • Receive the data in a structured, commonly used, and machine-readable format
  • Transfer the data to another controller

7.7 Right to Object (GDPR Art. 21)

You may object to processing based on legitimate interest or public interest. We will then stop processing unless we can demonstrate compelling legitimate grounds.

Direct Marketing: You have an absolute right to object to processing for direct marketing purposes.

7.8 Rights Related to Automated Decision-Making (GDPR Art. 22)

You have the right not to be subject to decisions based solely on automated processing that have legal or similarly significant effects.

Our Practice: We do not make automated decisions with legal effects without human involvement.

8. Technical and Organisational Security Measures

8.1 Technical Security Measures

Encryption:

  • Transport: TLS 1.3 for all data transmission
  • Storage: AES-256 encryption for sensitive data at rest
  • Databases: Encrypted database connections and field-level encryption

Access Control:

  • Multi-factor authentication: For all administrative accounts
  • Role-based access: Minimum necessary access principle
  • Regular access review: Quarterly audit of user rights

Network Security:

  • Firewalls: Next-generation firewalls with intrusion detection
  • Vulnerability scanning: Automated and manual penetration testing
  • Monitoring: 24/7 security monitoring and incident response

8.2 Organisational Security Measures

Personnel:

  • Background checks: For all employees with access to personal data
  • Privacy training: Mandatory annual training for all staff
  • Non-disclosure agreements: Contractual confidentiality obligations

Procedures:

  • Incident response plan: Documented procedures for personal data breaches
  • Data retention policy: Automated deletion routines
  • Vendor management: Due diligence and contractual requirements for suppliers

Physical Security:

  • Access control: Card-based access to server rooms
  • Surveillance: CCTV and alarm systems
  • Secure destruction: Certified destruction of physical media

9. Cookies and tracking

9.1 Necessary Cookies

Purpose: Basic website functionality Legal Basis: Legitimate interest Duration: Session-based or 1 year Examples: Shopping cart, language selection, login status

9.2 Performance Cookies

Purpose: Website optimization and troubleshooting Legal Basis: Legitimate interest (anonymized) Duration: 13 months Providers: Google Analytics (anonymized)

9.3 Marketing Cookies

Purpose: Targeted advertising and conversion tracking Legal Basis: Consent Duration: 13 months Providers: Google Ads, Facebook Pixel, Microsoft Advertising

Cookie Consent: Managed through our cookie banner with granular options.

10. Data Storage and Retention Periods

10.1 General Principles

  • Data minimization: We only store necessary personal data
  • Storage limitation: Data is deleted once the purpose has been fulfilled
  • Automated deletion routines: Implemented for all data categories

10.2 Specific Retention Periods

Data Category
Retention Period Legal Basis
Customer data (active customers) 5 years after last transaction Bookkeeping Act, warranty periods
Customer data (inactive) 3 years without activity Legitimate interest
Payment information 5 years Bookkeeping Act
Marketing data Until consent is withdrawn Consent
Web analytics 13 months Legitimate interest
Security logs 2 years Legitimate interest
Warranty/complaint cases 5 years after closure Legal obligation

11. Personal Data Breaches and Notification Procedures

11.1 Internal Procedures

  • Detection: 24/7 monitoring and automated alert systems
  • Assessment: Immediate risk evaluation and classification
  • Intervention: Immediate actions to limit damage
  • Documentation: Complete logging of breaches and response measures

11.2 Notification Obligations

To the supervisory authority (Datatilsynet):

  • Deadline: 72 hours after discovery
  • Conditions: When the breach is likely to pose a risk to rights and freedoms
  • Content: Nature of the breach, categories and number affected, likely consequences, measures taken

To the data subjects:

  • Deadline: Without undue delay
  • Conditions: When the breach is likely to pose a high risk
  • Content: Nature of the breach, contact information, likely consequences, measures taken

11.3 History and Statistics

We maintain detailed records of all personal data breaches in accordance with GDPR Article 33(5) for inspection by supervisory authorities

12. Children's Privacy

12.1 Age Limits

  • Minimum age: 16 years for independent use of the services
  • Under 16 years: Requires parental/guardian consent and involvement
  • Verification: Age verification upon account creation

12.2 Special Protection Measures

  • Limited data collection: Only the information necessary for the service
  • Parental control: Parents’ right to access and delete data
  • Marketing ban: No direct marketing to minors
  • Enhanced security: Stricter access control and encryption

13. International Users - Special Provisions

13.1 EU/EEA Citizens

  • Full GDPR protection: All rights under GDPR Articles 12–23
  • Supervisory authority: Contact your local Data Protection Authority or the Norwegian Data Protection Authority (Datatilsynet)
  • Dispute resolution: EU Online Dispute Resolution platform available

13.2 California Consumer Privacy Act (CCPA) – California Residents

  • “Do Not Sell” right: We do not sell personal data
  • Non-discrimination: No discriminatory treatment for exercising rights
  • Categories shared: See section 5 regarding disclosure to third parties

13.3 Other International Users

  • Minimum protection: GDPR-equivalent rights offered to all users
  • Local laws: Local privacy laws may grant additional rights
  • Contact: English-speaking customer support available for all inquiries

14. Supervisory Authorities and Right to Complain

14.1 Primary Supervisory Authority

Datatilsynet (Norway)

  • Postal address: Postboks 458 Sentrum, 0105 Oslo
  • Phone: 22 39 69 00
  • Email: postkasse@datatilsynet.no
  • Website: datatilsynet.no

14.2 EU/EEA Citizens

You may also contact the data protection authority in your home country within the EU/EEA.

14.3 Right to Complain

You have the right to lodge a complaint with a supervisory authority if you believe we are processing your personal data in violation of applicable data protection laws.

15. Contact Information for Privacy Inquiries

15.1 Data Protection Officer (DPO)

Contact: dpo@nitteberg.as Role: Independent guidance and monitoring of privacy practices Availability: Weekdays 09:00–16:00

15.2 Privacy Contact

General inquiries: personvern@nitteberg.as Rights requests: rettigheter@nitteberg.as Privacy breaches: incident@nitteberg.as

15.3 Response Times

  • Access and rights requests: 30 days (may be extended to 90 days in complex cases)
  • General inquiries: 5 business days
  • Privacy breaches: Immediate (24/7 emergency readiness)

16. Changes to the Privacy Policy

16.1 Notification Procedures

  • Major changes: Email notification to all registered users 30 days in advance
  • Minor changes: Published on the website with an updated date
  • New processing purposes: Collection of new consent when necessary

16.2 Version Control

We retain historical versions of the privacy policy with timestamps for transparency and tracking purposes.

This privacy policy replaces all previous versions and is legally binding from the effective date.

Legal Advisor: Mattis Contact for legal inquiries: legal@nitteberg.as