1. Introduction

This Privacy Policy explains how Norland & Co AS (“we”, “our”, “us”) collects, uses, stores, and protects personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Norwegian privacy laws.

We primarily process business contact information for communication with potential clients, partners, and service users.

2. Data Controller

Norland & Co AS is the data controller for all processing of personal data described in this policy.
If you have any questions or requests regarding your personal data, please contact us at:
access@norlandco.com

3. Data We Collect

We collect only the personal data necessary for legitimate business purposes. This may include:

We collect only personal data that is necessary for legitimate business purposes. This may include:

• Contact details, such as your name, company, position, email address and phone number, so that we can respond to inquiries, schedule meetings and manage relationships.

• Communication data, such as correspondence through HubSpot, WhatsApp or LinkedIn, to maintain business communications.

• Website usage data, including IP address, browser type, pages visited and time spent on the site, to improve performance and user experience.

• Transactional data, including billing details, company name and VAT number collected through Stripe or PandaDoc, to issue invoices and process payments.

We do not collect or process sensitive personal data.

We do not collect sensitive personal data.

4. How Data Is Collected

Personal data is collected when you:

• Submit information via the Apply for Access form on our website

• Communicate with us through email, WhatsApp, or LinkedIn

• Enter into a contract or payment through Stripe or PandaDoc

• Interact with our website hosted on Framer, which uses limited functional and analytical cookies

We do not use cookies for advertising or retargeting purposes.

5. Purpose and Legal Basis for Processing

All processing is performed in accordance with Article 6 of the GDPR, based on:

• Legitimate interest (Art. 6(1)(f)) – communicating with potential clients and partners in a B2B context

• Contractual necessity (Art. 6(1)(b)) – to deliver agreed services, send proposals, and manage invoicing

• Legal obligation (Art. 6(1)(c)) – compliance with bookkeeping and tax laws

We do not rely on consent except where required by law (e.g., for optional marketing messages).

6. Use of Data

Your personal data is used to:

• Respond to requests and schedule meetings

• Communicate about ongoing or potential projects

• Send project updates or reports

• Manage invoicing and contractual documentation

• Maintain security and compliance

• Improve our communication and website experience

We may also use physical mail for business correspondence or marketing purposes.

7. Sharing of Data

We do not sell personal data. However, we share limited information with trusted third-party processors who assist in our operations, such as HubSpot (for CRM and communication), Framer (for hosting and analytics), Stripe (for payment processing), PandaDoc (for contracts), and WhatsApp (for communication).

All processing partners act as data processors under binding agreements ensuring compliance with GDPR.
We may also share contact data with advisors or project partners when necessary for coordination and service delivery.

8. International Data Transfers

Some data may be transferred outside the EU/EEA (e.g., to HubSpot or Stripe servers in the U.S.).
All such transfers are protected under Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Data Retention

We store data only for as long as necessary:

Data TypeRetention PeriodContact and communication dataUp to 12 months after last interactionContract and payment data5 years (in accordance with Norwegian accounting law)Website analytics dataShort-term, aggregated, and anonymized

Data may be deleted earlier upon request, unless required for legal or accounting purposes.

10. Security Measures

We apply appropriate technical and organizational measures to protect personal data, including:

• Encrypted communication (SSL/TLS)

• Two-factor authentication for internal accounts

• Access controls and cloud-based data management

• Regular security updates on all integrated platforms

All systems used are cloud-based and hosted by reputable providers with strong data protection standards.

11. Your Rights

You have the following rights under GDPR:

• Access – to request a copy of your data

• Rectification – to correct inaccurate information

• Erasure – to request deletion (“right to be forgotten”)

• Restriction – to limit how your data is used

• Portability – to receive your data in a structured, machine-readable format

• Objection – to object to processing based on legitimate interests

• Withdrawal of consent – where processing is based on consent

To exercise these rights, contact access@norlandco.com.
We will respond within 30 days.

12. Direct Marketing and Opt-Out

We may contact business representatives through digital or physical communication channels for legitimate business purposes
You can opt out at any time by contacting us at access@norlandco.com.

We do not operate newsletters or mass-marketing lists.

13. Data Subject Complaints

If you believe your personal data has been processed in violation of GDPR, you may contact:

Datatilsynet (The Norwegian Data Protection Authority)
Website: https://www.datatilsynet.no
Email: postkasse@datatilsynet.no

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect operational or legal changes.
The latest version will always be available on our website with an updated “Effective Date”.

15. Contact

For all inquiries or requests related to this Privacy Policy, please contact:

Norland & Co AS
Gunnar Schjelderups vei 13, 0485 Oslo, Norway
access@norlandco.com
https://norlandco.com