Privacy Policy for Nordlys Natur og Opplevelser AS

This privacy policy explains how Nordlys Natur og Opplevelser AS collects, uses, stores, shares, and protects personal data when you use our services, visit our website, contact us, or otherwise interact with us. We are committed to handling personal data in a lawful, fair, transparent, and secure manner in accordance with applicable privacy laws.

1. Introduction and company information

The data controller for the processing of personal data described in this privacy policy is:

• Company name: Nordlys Natur og Opplevelser AS
• Address: Nordlys Natur og Opplevelser AS, Storgata 12, 0155 Oslo, Norway
• Email: [email protected]
• Phone: +47 23 48 76 19

Nordlys Natur og Opplevelser AS provides nature-based experiences, outdoor activities, guided tours, and related services. Depending on how you interact with us, we may process personal data about customers, prospective customers, website visitors, business partners, and other individuals who contact us.

2. Data collection and processing

We may collect and process the following categories of personal data:

• Identification data: name, date of birth, and, where relevant, identification details necessary for booking or safety purposes.
• Contact information: email address, phone number, postal address, and emergency contact details if provided.
• Booking and transaction data: reservations, payment status, invoices, purchase history, and service preferences.
• Communication data: messages, inquiries, feedback, complaints, and correspondence with our customer service.
• Participation and safety data: information relevant to participation in outdoor activities, such as dietary requirements, health-related information you choose to share, experience level, and special assistance needs.
• Technical data: IP address, browser type, device information, log data, and cookies or similar technologies used on our website.
• Marketing data: consent preferences, newsletter subscriptions, and responses to marketing communications.

We normally collect personal data directly from you when you make a booking, contact us, subscribe to communications, participate in an activity, or use our website. In some cases, we may receive data from third parties such as payment providers, booking platforms, travel partners, or public authorities where permitted by law.

3. Purpose of data processing

We process personal data for the following purposes:

• to manage bookings, registrations, and customer accounts;
• to provide and deliver our nature and outdoor services;
• to communicate with you about your booking, inquiries, changes, or service updates;
• to process payments, refunds, and accounting records;
• to ensure safety, risk management, and suitability for participation in activities;
• to comply with legal obligations, including accounting, tax, consumer, and safety requirements;
• to improve our services, website, and customer experience;
• to send marketing communications where permitted and, if required, where you have consented;
• to prevent fraud, misuse, and unauthorized access;
• to handle disputes, claims, and legal matters.

4. Legal basis for processing

We process personal data only where we have a valid legal basis. Depending on the context, the legal basis may include:

• Performance of a contract: where processing is necessary to provide booked services, manage reservations, or take steps at your request before entering into a contract.
• Legal obligation: where processing is required to comply with applicable laws and regulations.
• Legitimate interests: where processing is necessary for our legitimate business interests, such as service improvement, customer communication, security, and fraud prevention, provided that your interests and fundamental rights do not override those interests.
• Consent: where you have given clear consent, for example for certain marketing communications, cookies, or the processing of sensitive information you voluntarily provide in connection with participation in activities.

Where we process special category or sensitive personal data, such as health-related information, we do so only when necessary and with an appropriate legal basis under applicable law, including your explicit consent where required.

5. Data sharing and third parties

We may share personal data with third parties only when necessary for the purposes described in this policy and in compliance with applicable law. Such third parties may include:

• Payment service providers for processing card payments and refunds;
• Booking and IT service providers that support our reservation systems, website hosting, email services, and customer management tools;
• Accounting, audit, and legal advisors where necessary for compliance and professional support;
• Insurance providers in connection with claims, incidents, or risk management;
• Activity partners, guides, and subcontractors who help deliver our services;
• Public authorities where disclosure is required by law or a lawful request.

We require our service providers and partners to protect personal data and to process it only in accordance with our instructions and applicable law.

6. Data transfer to third countries

In some cases, personal data may be transferred to or accessed from countries outside Norway or the European Economic Area (EEA), for example when we use international IT providers or service partners. Where such transfers occur, we take appropriate safeguards to protect your personal data, such as:

• using providers located in countries recognized as providing an adequate level of protection;
• entering into standard contractual clauses or equivalent transfer mechanisms;
• implementing additional technical and organizational measures where necessary.

You may contact us for more information about international transfers and the safeguards we use.

7. Storage duration

We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law. Retention periods may depend on the type of data and the purpose of processing. In general:

• booking and transaction records are retained for the period required by accounting and tax laws;
• customer correspondence is retained for as long as needed to handle the inquiry and any follow-up;
• marketing data is retained until you withdraw consent or object, where applicable;
• safety-related information is retained for as long as necessary to manage risk, incidents, or legal claims;
• technical logs are retained for a limited period for security and operational purposes.

When personal data is no longer needed, we delete it or anonymize it in a secure manner.

8. User rights

Subject to applicable law, you may have the following rights regarding your personal data:

• Right of access: to obtain confirmation of whether we process your personal data and receive a copy of that data.
• Right to rectification: to request correction of inaccurate or incomplete data.
• Right to erasure: to request deletion of your personal data in certain circumstances.
• Right to restriction: to request that we limit the processing of your personal data in certain situations.
• Right to data portability: to receive certain data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller.
• Right to object: to object to processing based on legitimate interests and to object at any time to direct marketing.

To exercise your rights, please contact us using the details provided below. We may need to verify your identity before responding. We will respond within the time limits required by applicable law.

9. Withdrawal of consent

Where we rely on your consent to process personal data, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent, we may no longer be able to provide certain services or communications that depend on that consent.

You can withdraw consent by contacting us at [email protected] or by using any unsubscribe or preference-management option we provide.

10. Right to complain

If you believe that our processing of your personal data violates applicable privacy laws, you have the right to lodge a complaint with the relevant supervisory authority. In Norway, this is the Norwegian Data Protection Authority (Datatilsynet).

We encourage you to contact us first so that we can try to resolve your concern directly and promptly.

11. Data security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include access controls, encryption where appropriate, secure storage, staff confidentiality obligations, and regular review of our security practices.

While we take reasonable steps to protect your data, no system can be guaranteed to be completely secure. You should also take care to protect your own devices and account information.

12. Contact information

If you have questions about this privacy policy or our processing of personal data, or if you wish to exercise your rights, please contact:

• Nordlys Natur og Opplevelser AS
• Address: Nordlys Natur og Opplevelser AS, Storgata 12, 0155 Oslo, Norway
• Email: [email protected]
• Phone: +47 23 48 76 19

13. Changes to privacy policy

We may update this privacy policy from time to time to reflect changes in our practices, services, legal requirements, or technology. The updated version will be published on our website or otherwise made available to you. We encourage you to review this policy periodically to stay informed about how Nordlys Natur og Opplevelser AS protects your personal data.

Last updated: 2026-04-24