Privacy Policy

1. Introduction

Norway Travel Services (hereinafter "we", "us", "the Company", or "NTS") respects your privacy and is committed to protecting your personal data. This Privacy Policy will inform you about how we collect, use, store, and protect your personal information, as well as your rights regarding data protection.

This policy complies with the requirements of the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Norwegian Personal Data Act (Personopplysningsloven).

Data Controller Information:
Company Name: Norway Travel Services
Registered Address: Oslo, Norway
Email: [email protected]
Phone: +47 911 98 986

2. What Personal Data We Collect

Depending on how you interact with us, we may collect the following types of personal data:

2.1 Information You Provide Directly

• Identity Information: Name, date of birth, gender, nationality
• Contact Information: Email address, phone number, mailing address
• Travel Documents: Passport number, visa information (only when necessary for booking)
• Payment Information: Credit card details, billing address (via secure third-party payment processors)
• Travel Preferences: Dietary restrictions, special needs, health information (if necessary)
• Communication Content: Your communications with us via email, contact forms, or phone

2.2 Automatically Collected Information

• Technical Data: IP address, browser type and version, time zone settings, operating system
• Usage Data: How you use our website, products, and services
• Cookies and Similar Technologies: See Section 8

2.3 Information from Third Parties

• Service Providers: Booking confirmations and service details from hotels, transportation companies, activity operators
• Payment Processors: Payment status and transaction details
• Public Sources: Travel review websites (if applicable)

3. How We Use Your Personal Data

We only use your personal data when we have a lawful basis. Under Article 6 of the GDPR, our lawful bases include:

3.1 Performance of Contract (GDPR Article 6(1)(b))

To provide the travel services you have booked, we need to process your personal data:

• Process and confirm your bookings
• Arrange services with third-party providers (hotels, transportation companies, etc.)
• Process payments and issue invoices
• Provide customer support and handle complaints
• Provide emergency assistance during travel

3.2 Legal Obligation (GDPR Article 6(1)(c))

We need to process certain data to comply with legal requirements:

• Accounting and tax records (Norwegian Accounting Act requires 5-year retention)
• Anti-money laundering and anti-fraud checks
• Responding to legal processes and government requests
• Compliance with travel guarantee requirements

3.3 Legitimate Interests (GDPR Article 6(1)(f))

We may process data based on legitimate interests without infringing on your rights:

• Improve our website and services
• Conduct data analysis and market research
• Prevent fraud and ensure cybersecurity
• Manage our business operations
• Protect our legal rights

3.4 Consent (GDPR Article 6(1)(a))

In certain cases, we will seek your explicit consent:

• Sending marketing communications (you can unsubscribe at any time)
• Using non-essential cookies
• Processing sensitive personal data (such as health information)
• Using your data for new purposes

4. Who We Share Your Data With

We do not sell your personal data. We only share your data when necessary with the following parties:

4.1 Service Providers

• Accommodation Providers: Hotels, guesthouses, vacation homes
• Transportation Companies: Airlines, bus companies, car rental companies
• Activity Operators: Tour companies, guide services
• Payment Processors: Stripe, Vipps, etc. (they have their own privacy policies)

4.2 Technical Service Providers

• Website Hosting: Manus (Norway)
• Email Services: SendGrid (USA, EU-US Data Privacy Framework certified)
• Analytics Tools: For website performance monitoring (anonymous data)

4.3 Legal and Regulatory Authorities

• Norwegian Data Protection Authority (Datatilsynet)
• Tax authorities
• Law enforcement agencies (when legally required)
• Courts and dispute resolution bodies

4.4 Business Transfers

If our business is sold, merged, or reorganized, your personal data may be transferred to the new owner. We will notify you before the transfer and ensure the new owner complies with this Privacy Policy.

5. International Data Transfers

Your personal data is primarily processed and stored within the European Economic Area (EEA). However, certain service providers may be located outside the EEA:

• SendGrid (USA): Our email service provider. SendGrid complies with the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCC).
• Payment Processors: May process transactions globally but use GDPR-approved safeguards.

When we transfer data outside the EEA, we ensure one of the following protections:

• EU Commission adequacy decision (recognizing the country provides adequate data protection)
• Standard Contractual Clauses (SCC)
• EU-US Data Privacy Framework certification
• Your explicit consent

6. Data Retention

We only retain your personal data for as long as necessary. Retention periods depend on the type of data and processing purpose:

After the retention period ends, we will securely delete or anonymize your personal data.

7. Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

You have the right to obtain a copy of the personal data we hold about you, as well as information about how we use that data.

7.2 Right to Rectification (Article 16)

If your personal data is inaccurate or incomplete, you have the right to request correction.

7.3 Right to Erasure / "Right to be Forgotten" (Article 17)

In certain circumstances, you have the right to request that we delete your personal data:

• The data is no longer needed for the purposes it was collected
• You withdraw consent and there is no other lawful basis
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required to comply with a legal obligation

Exceptions: We may be unable to delete your data if we need to retain it to comply with legal obligations (such as accounting records), establish legal claims, or protect others' rights.

7.4 Right to Restriction of Processing (Article 18)

In certain circumstances, you can request that we restrict processing of your personal data:

• You contest the accuracy of the data
• Processing is unlawful, but you don't want the data deleted
• We no longer need the data, but you need it to establish legal claims
• You have objected to processing, pending verification of our legitimate grounds

7.5 Right to Data Portability (Article 20)

You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller.

7.6 Right to Object (Article 21)

You have the right to object to data processing based on legitimate interests or public interest. You also have the right to object to direct marketing at any time.

7.7 Right to Withdraw Consent

If we process data based on your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.

7.8 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, particularly in the EU member state of your residence, workplace, or where the alleged infringement occurred.

Norwegian Data Protection Authority (Datatilsynet):
Website: www.datatilsynet.no
Email: [email protected]
Phone: +47 22 39 69 00

How to Exercise Your Rights

To exercise any of the above rights, please contact us:

• Email: [email protected]
• Subject line: Data Protection Request
• Include: Your full name, contact information, details of your request

We will respond within 1 month of receiving your request. In complex cases, we may need an additional 2 months, but we will notify you of the delay and reasons.

Identity Verification: To protect your privacy, we may need to verify your identity before processing your request.

8. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve your experience and understand website usage.

8.1 What are Cookies?

Cookies are small text files placed on your device to store information. They are widely used to make websites work or work more efficiently.

8.2 Types of Cookies We Use

• Necessary Cookies: Essential for website functionality (e.g., session management, security) - no consent required
• Functional Cookies: Remember your preferences (e.g., language selection) - consent required
• Analytics Cookies: Help us understand how visitors use the website - consent required
• Marketing Cookies: Used to track visitors across websites (we currently do not use these)

8.3 Managing Cookies

You can control cookies by:

• Using the cookie consent banner on our website
• Changing your browser settings to block or delete cookies
• Using browser plugins to manage cookies

Note: Blocking certain cookies may affect website functionality.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, loss, destruction, alteration, or disclosure:

9.1 Technical Measures

• Encryption: All data transmission uses SSL/TLS encryption (HTTPS)
• Secure Storage: Data is stored on secure servers with firewall protection
• Access Controls: Only authorized personnel can access personal data
• Regular Backups: Prevent data loss
• Security Updates: Regular system and software updates

9.2 Organizational Measures

• Staff Training: All staff receive data protection training
• Confidentiality Agreements: Staff and contractors sign confidentiality agreements
• Principle of Least Privilege: Staff only access data needed to perform their work
• Vendor Management: We only work with GDPR-compliant vendors
• Incident Response Plan: Rapid response to data breaches

9.3 Data Breach Notification

If a data breach occurs that may pose a risk to your rights and freedoms, we will:

• Notify the Norwegian Data Protection Authority within 72 hours of discovering the breach
• If the risk is high, we will notify you directly
• Take measures to mitigate the impact of the breach

10. Children's Privacy

Our services are intended for adults (18 years and older). We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and you know that your child has provided us with personal data, please contact us. If we discover that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information.

Family Travel: If you are booking travel for minors, you as the parent/guardian are responsible for providing consent on their behalf.

11. Third-Party Links

Our website may contain links to third-party websites (such as hotels, activity operators, social media). We are not responsible for the privacy practices of these external websites.

When you click on a third-party link, you will be subject to that website's privacy policy. We recommend reading their privacy policy before providing any personal information.

12. Marketing Communications

We only send you marketing communications (such as travel offers, newsletters) if you have explicitly consented.

12.1 How to Opt In

• Check the "Receive marketing communications" box when booking
• Subscribe to our newsletter via our website
• Request to join our mailing list via email

12.2 How to Opt Out

You can unsubscribe from marketing communications at any time:

• Click the "Unsubscribe" link at the bottom of each marketing email
• Contact us via email: [email protected]
• Reply to any marketing email and request removal

Note: Even if you opt out of marketing communications, we will still send you transactional emails related to your bookings (such as booking confirmations, travel reminders).

13. Automated Decision-Making and Profiling

We currently do not use automated decision-making (including profiling), which means making decisions solely based on automated processing that produce legal effects or similarly significant impacts on you.

If we decide to use such technology in the future, we will:

• Notify you before processing your data
• Seek your explicit consent (if required)
• Provide you with the right to object or request human review

14. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Significant Changes: If we make significant changes to this policy, we will:

• Post the updated policy on our website
• Update the "Last Updated" date at the top of the page
• Notify you via email (if the change affects your rights)
• Seek your new consent if necessary

We recommend reviewing this policy regularly to stay informed about how we protect your information.

15. Contact Us

If you have any questions, comments, or requests regarding this Privacy Policy or our data practices, please contact us:

Norway Travel Services
Data Protection Contact
Email: [email protected]
Phone: +47 911 98 986
Address: Oslo, Norway

We will respond to your inquiry within 1 month of receipt.