Privacy Policy for Nordlys Byvandringer AS

This privacy policy explains how Nordlys Byvandringer AS collects, uses, shares, stores, and protects personal data when you use our services, visit our website, contact us, or otherwise interact with us. We are committed to protecting your privacy and processing personal data in a lawful, fair, and transparent manner.

1. Introduction and company information

The data controller for the processing of personal data described in this privacy policy is:

• Company name: Nordlys Byvandringer AS
• Address: Rosenkrantz' gate 7, 0159 Oslo, Norway
• Email: [email protected]
• Phone: +47 23 10 84 57

Nordlys Byvandringer AS operates city-walk and guided walking tour services. Depending on how you interact with us, we may process personal data about customers, prospective customers, website visitors, business contacts, and other individuals who communicate with us.

2. Data collection and processing

We may collect and process the following categories of personal data:

• Identification data: name, contact details, and other information you provide when booking or contacting us.
• Booking and transaction data: tour dates, number of participants, payment status, and related reservation details.
• Communication data: correspondence by email, phone, contact forms, or other channels.
• Technical data: IP address, browser type, device information, cookies, and usage data from our website.
• Preference data: language preferences, accessibility needs, and other information relevant to providing our services.
• Marketing data: consent preferences and information related to newsletters or promotional communications, where applicable.

We normally collect personal data directly from you. In some cases, we may also receive data from third parties, such as booking platforms, payment providers, or business partners involved in delivering our services.

3. Purpose of data processing

We process personal data for the following purposes:

• to manage bookings, reservations, and customer service;
• to provide and administer city-walk services;
• to communicate with you before, during, and after a tour;
• to process payments, refunds, and accounting-related matters;
• to comply with legal obligations;
• to improve our services, website, and customer experience;
• to send marketing communications where permitted and/or consented to;
• to prevent fraud, misuse, and security incidents;
• to handle complaints, claims, and disputes.

4. Legal basis for processing

We process personal data on one or more of the following legal bases, depending on the context:

• Performance of a contract: when processing is necessary to provide booked services or take steps at your request before entering into a contract.
• Legal obligation: when processing is required to comply with applicable laws, such as accounting, tax, or consumer protection requirements.
• Legitimate interests: when processing is necessary for our legitimate interests, such as operating and improving our services, ensuring security, and managing customer relations, provided that your interests and fundamental rights do not override those interests.
• Consent: where we rely on your consent, for example for certain marketing activities or optional cookies, you may withdraw consent at any time.

5. Data sharing and third parties

We may share personal data with third parties where necessary for the purposes described in this policy. Such third parties may include:

• payment service providers;
• booking and reservation system providers;
• IT and hosting providers;
• email and communication service providers;
• accountants, auditors, and legal advisers;
• public authorities where required by law;
• business partners or subcontractors involved in delivering tours or related services.

We only share personal data to the extent necessary and require appropriate contractual and security safeguards where applicable.

6. Data transfer to third countries

In some cases, personal data may be transferred to or accessed from countries outside Norway and the European Economic Area (EEA), for example through service providers or cloud-based systems. Where such transfers occur, we will ensure that appropriate safeguards are in place in accordance with applicable law, such as standard contractual clauses or other lawful transfer mechanisms.

7. Storage duration

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The retention period depends on the type of data and the purpose of processing. In general:

• booking and customer records are kept for as long as needed to administer the service and handle follow-up matters;
• accounting and tax-related records are retained for the period required by applicable law;
• communication records are kept for a reasonable period after the last contact;
• marketing data is retained until you withdraw consent or object, where applicable;
• technical logs are retained for a limited period for security and operational purposes.

When personal data is no longer needed, it will be deleted or anonymized in a secure manner.

8. User rights

Subject to applicable law, you may have the following rights regarding your personal data:

• Access: to request confirmation of whether we process your personal data and obtain a copy of that data.
• Rectification: to request correction of inaccurate or incomplete personal data.
• Erasure: to request deletion of personal data in certain circumstances.
• Restriction: to request that we limit the processing of your personal data in certain situations.
• Data portability: to receive personal data you have provided to us in a structured, commonly used, machine-readable format, where applicable.
• Objection: to object to processing based on legitimate interests and, where applicable, to direct marketing.

To exercise your rights, please contact us using the contact details provided below. We may need to verify your identity before responding to your request.

9. Withdrawal of consent

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent, we may no longer be able to provide certain optional services or communications.

10. Right to complain

If you believe that our processing of personal data is not in accordance with applicable law, you have the right to lodge a complaint with the competent supervisory authority. In Norway, this is the Norwegian Data Protection Authority (Datatilsynet).

We encourage you to contact us first so that we can try to resolve your concern directly.

11. Data security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include access controls, encryption where appropriate, secure storage, staff confidentiality obligations, and regular review of our security practices.

While we take reasonable steps to protect personal data, no method of transmission over the internet or electronic storage is completely secure. We therefore cannot guarantee absolute security.

12. Contact information

If you have questions about this privacy policy or our processing of personal data, or if you wish to exercise your rights, you may contact us at:

• Nordlys Byvandringer AS
• Rosenkrantz' gate 7, 0159 Oslo, Norway
• Email: [email protected]
• Phone: +47 23 10 84 57

13. Changes to privacy policy

We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or processing practices. The updated version will be published on our website with a revised effective date where appropriate. We encourage you to review this privacy policy periodically to stay informed about how Nordlys Byvandringer AS processes personal data.