Norwegian Lab will, in connection with our business activities, process personal data. We are committed to handling personal data in a secure and lawful manner. Our data processing, as the data controller for personal data, is based on the activities we carry out and the purpose of our business, which is the production and sale of dietary supplements, etc. Information about which personal data we process, the legal basis for processing, the purpose of processing, how long we process personal data, etc., can be found below.

We may also process personal data in ways other than those described below, but in that case, we will inform the individuals concerned in ways other than through this statement.

If you have any questions or would like more information about our processing of personal data, you can contact us – see contact details below.

1 DATA CONTROLLER FOR PERSONAL DATA

Norwegian Lab is the data controller, i.e., it determines why and how personal data are processed, for the processing described below.

Contact details for the data controller:
Norwegian Lab AS
Postboks 1618 Vika, 0119 Oslo
support@norwegianlab.net

2 PROCESSING OF PERSONAL DATA

We collect and use personal data for various purposes depending on who you are and how we come into contact with you. We primarily process personal data about our customers, who are private individuals, and about contact persons at suppliers and partners, see below.

All processing of personal data must be carried out in accordance with the applicable data protection rules at all times, including the Norwegian Personal Data Act and the General Data Protection Regulation (GDPR).

Personal data means any information relating to a natural person who can be identified directly or indirectly (the latter is referred to as the "data subject"). The processing of personal data is any operation performed on personal data, for example, collection, registration, organization, structuring, storage, adaptation, modification, transfer, or deletion.

Below are the processing activities we carry out as a data controller in our business.

2.1 Sales and contact with private customers

When you register as a customer, we ask you to provide information such as your full name, address, and telephone number, as well as (optionally) an email address. We need this information in order to manage your customer relationship, to send you your orders, and for billing purposes. Our legal basis for the processing of these personal data is that such processing is necessary to fulfill our agreement with you (GDPR Article 6(1)(b)).

The personal data we process are obtained from you upon registration and continuously in connection with your ongoing customer relationship with us.

If you place a new order, we will use information about your payment history to check that you do not have any unpaid invoices from previous orders before approving your new order. Our legal basis for the processing of these personal data is our legitimate interest in avoiding further outstanding payments (GDPR Article 6(1)(f)). We have determined that our legitimate interest outweighs the importance of privacy for the individuals whose personal data we verify.

When you have an active customer relationship with us, we will also process information about your subscription (which products we deliver to you) and your customer history, including which products you have purchased, when you purchased them, and associated receipts. We use this information for marketing, analysis, and statistical purposes. Our legal basis for processing these personal data is our legitimate interest in marketing and improving our products and services (GDPR Article 6(1)(f)). We have determined that our legitimate interest outweighs the importance of privacy for the individuals to whom these personal data relate.

In certain cases, we may use your contact details (including name, email address, and customer history) to carry out customer surveys. The purpose of our processing of your personal data in this case is to improve our services. The basis for our processing of these data is our legitimate interest in further developing our products and services (GDPR Article 6(1)(f)). We have determined that our legitimate interest outweighs the importance of privacy for the individuals to whom these personal data relate.

If you have given us your consent, we will also use your contact details and purchase history to send you newsletters and marketing emails. You can unsubscribe at any time by following the instructions included in each message we send you.

We may contact you by telephone and by mail, unless you have opted out of such communications in the Reservation Register (Reservasjonsregisteret) or have directly notified us that you do not wish to receive this type of communication. Our legal basis for processing your personal data is our legitimate interest in marketing our services and products (GDPR Article 6(1)(f)). We have determined that our legitimate interest outweighs the importance of privacy for the individuals to whom these personal data relate.

The personal data related to your customer relationship/subscription, including your name and contact information, will be processed as long as we have an active customer relationship with you. After the customer relationship ends, the data will be deleted after three years.

With regard to the data linked to your account with us, these will be stored and processed as long as your account is active or until you delete the account. The account will also be deleted if it has not been active for the last 12 months.

We also process, for security reasons, technical logs, security logs, including the IP address used to register the order, as we need to document any fraud and secure our systems. Logs are also stored and processed for the development of the service and for statistics, so that we can improve the service. We therefore have a legitimate interest in securing and developing our systems and the information in them, and this legitimate interest outweighs the consideration of privacy for the data in question (GDPR Article 6(1)(f) and Article 32). These data are generated by our systems and may be disclosed to the police in connection with investigations, e.g., concerning fraud. This information is kept for approximately one year.

We are also legally required to retain this information in connection with accounting and tax management, for example under the Norwegian Bookkeeping Act and the Norwegian Value Added Tax Act (GDPR Article 6(1)(c)). We also receive these data from you, and they may be transferred to authorities if we are legally obliged to do so. We normally process such data for six years in order to comply with the law.

Card numbers and related information are stored by a third party, which is then the data controller (behandlingsansvarlig) for these data. Who this is depends on the chosen payment solution and the agreement you have with the payment intermediary, such as your bank or credit card company. See also the privacy statements of payment service providers.

The processing is carried out on the basis of our interest in handling the relationship with customers, securing and developing the service, safeguarding our rights, etc., in accordance with GDPR Article 6(1)(f). We believe we have a legitimate interest in processing these types of data and that our interest outweighs the privacy of individuals.

Technical logs, security logs on websites, and logs in connection with services will also be processed for security reasons, for the development of the service, and for statistics. The processing of such data is based on our duty to comply with privacy regulations to secure personal data, see GDPR Article 6(1)(c), cf. among others Article 32, and our duty to protect your personal data under our agreement with you, see above.

2.2 Communication and contact

We process personal data about those who contact us in order to respond to and document the communication and to contact others. This applies to all forms of communication, physical and digital, written and oral.

In such cases, we process name, phone number, email address, and any personal data that may arise from the inquiry, including the history/log of the inquiry.

The processing of data is based on our necessary legitimate interest in processing personal data related to the above (see GDPR Article 6(1)(f)). We have therefore concluded that our legitimate interest in having contact with the outside world is part of our business and in documenting our activities, as well as in responding to those who contact us and recording such contact, outweighs the privacy interests of the data subjects. We have assessed that this is necessary for us in order to handle the inquiries we receive, and that the privacy of the data subjects does not override these interests.

It is voluntary to provide us with personal data, but it may be necessary to give us the data so that we can answer inquiries.

We process this information until we conclude that there will be no further follow-up of the contact, normally for one year.

2.3 Email

We use email as a communication tool that may contain personal data. The processing is based on our necessary legitimate interest in processing personal data via email (see GDPR Article 6(1)(f)) in order to have a work tool and communication solution, and that the privacy of the data subjects does not override these interests. What personal data are processed in emails depends on the purpose and content of the message. Emails are deleted when they are no longer necessary, and we have implemented measures to ensure the regular deletion of emails. Our security solutions can also access emails, but only in an automated manner.

2.4 Information and marketing

If you request information or sign up for a newsletter, we will send out information about our products and services, services from partners, newsletters, and other information and marketing. We will then process your email address and any information you provide to us in this context.

We process personal data to inform you about services and products that may be of interest to you, and we process personal data based on your consent (GDPR Article 6(1)(a)). You can withdraw your consent at any time by using any unsubscribe options in the messages you receive, or to opt out of direct marketing and/or profiling under GDPR Article 21(2), by contacting us.

We only process personal data that enable us to carry out the mailing, which is your email address and your name, to make the communication more personal and to ensure that it reaches the correct recipient. The email address and any information you have provided are not used for anything other than sending out the newsletter.

The processing continues until you have received the requested information or have withdrawn your consent. After that, your personal data are deleted.

2.5 Existing and potential customers, suppliers, and partners, etc.

We process personal data about contact persons at existing and potential suppliers and other partners for sales and marketing activities, to manage our relationship with suppliers and others, to prepare, implement, and document services, as well as to evaluate the use of services. In these cases, we will process your name, contact information, company name, and information connected to the contact with the company in which the person works.

The processing of personal data is based on our necessary legitimate interest (GDPR Article 6(1)(f)) in managing our relationships with our customers, partners, and suppliers, and our interest outweighs the individual's privacy.

We also store and disclose data where we have a legal obligation to do so, for example under accounting and tax laws.

Data are stored and processed as long as they are necessary, for example to document matters related to services.

In many cases, it is necessary for us to obtain personal data in order to enter into agreements with customers and suppliers, for example to document that a contract has been established. If we do not obtain the data we need, we will not be able to enter into agreements.

It is voluntary for contact persons whether they wish to provide us with personal data. If we collect personal data from others, it will mainly concern contact information (including name, address, phone number, and email address), position, function, and employer as well as any qualifications and references if relevant. The source for such data will be the contact person's employer, for example from the employer's website. In some cases, we obtain references from others to assess the suitability of suppliers and partners.

We store the data until the relationship with the customer, supplier, or partner ends, or until the contact person ceases to be the contact person, with the exceptions mentioned above.

2.6 Recruitment

In recruiting for new positions with us, we will, among other things, process personal data in connection with CVs, applications, certificates, notes from interviews, results from reference checks, etc.

We may use job-search services to manage submitted applications, and these then act as our data processors. If you register with the job-search service with your own profile, the service acts as the data controller, and we refer you to the service's privacy statement for information about the processing of personal data in the service. The processing of personal data is based on the consent you provided in the job-search service (GDPR Article 6(1)(a)), if such is obtained, or on the bases described below.

The basis for processing personal data in recruitment is that it is necessary to take steps prior to entering into an employment contract with the applicant (GDPR Article 6(1)(b)).

If we conduct checks beyond contacting persons you have provided as references, such as background checks, we will process personal data on the basis of our necessary legitimate interest in ensuring that we choose the right candidate for the position (GDPR Article 6(1)(f)). For the latter, we have determined that our legitimate interest in recruiting new employees outweighs the individual's privacy. We encourage you not to include special categories of personal data, such as health data, religion, political opinions, union membership, etc., in your application.

If we process special categories of personal data, we will do so on the basis of your consent (GDPR Article 9(2)(a)). Consent can be withdrawn at any time, and the withdrawal of consent will not affect the lawfulness of the processing of personal data that occurred before the consent was withdrawn.

Personal data are deleted as soon as the recruitment process is completed, unless you have consented to a longer storage period.

2.7 Social media

We have contact with interested parties and others through social media. For example, we have created a Facebook page, where we share responsibility for processing personal data with Facebook. On this Facebook page, personal data will be processed if you post on the page, comment on posts, or "like"/follow the page. Our purpose in processing personal data through Facebook is to have contact with you who wish to communicate with us or otherwise interact on our Facebook page. See also the information on communication under point 2.2 above.

In this context, we process your name and a connection to other information you have posted on Facebook linked to your name/account. In addition, we process everything you share via posts and comments on our Facebook page, as well as the fact that you have "liked"/follow our page. What you share on the Facebook page is up to you and is voluntary.

We ask that you not share personal data in posts or comments on the page, and especially not personal data about others, e.g., by "tagging" or mentioning people.

We process personal data on social media, such as Facebook, on the basis that we deem to have a necessary legitimate interest in communicating with the outside world through the social medium and will then process personal data in this context (GDPR Article 6(1)(f)). We have assessed that this is necessary for us to communicate with the outside world and handle inquiries we receive, and that the data subjects' privacy does not override these interests.

The data will be processed as long as posts/comments are available on the social medium, and you can delete them yourself at any time.

2.8 Use of websites

Our websites and services use cookies, among other tools, to collect information in order to provide a better customer experience on the websites and services, and to offer functionality in the services. We also use the information to provide visitors with recommendations and service customizations that are as relevant for you as possible. This is provided both on the basis of visitors' behavior, e.g., based on services used, links clicked, or information read, and on the behavior of other users with a similar usage pattern. In addition, cookies are used to provide personalized marketing on our websites, in ad networks, and on social media. As far as practically possible, we try to do this with anonymized data, without knowing that the information is specifically linked to an individual visitor.

A cookie is a text file or data that, during a visit to or interaction with a website, is placed in your browser's internal memory or a sequence of digits/characters that can identify your browser or the device using the website (referred to below as "cookies" for simplicity).

You have the option to prevent us from placing cookies in your browser. Many browsers or devices are set to accept cookies automatically, but you can choose to change the settings so that cookies are not accepted. The downside of disabling cookies in your browser is that the websites will not function optimally. The reason is that the purpose of most of the cookies we use is to provide functionality in the services.

We also use tools other than cookies to collect information about your IP address, the type of browser you use, operating system, date, and time of visits to the website and services. We use this information to analyze trends and make the website and services more user-friendly.

You can see which cookies are used in the box that appears the first time you visit the websites, or by clicking on the circle at the bottom left of the pages, where you can also change your preferences for cookies.

Necessary and functional cookies, as well as cookies for statistics, are processed on the basis of our necessary legitimate interest (GDPR Article 6(1)(f)) to adapt the website to our users, and we consider that this interest outweighs the privacy of individuals. Nevertheless, we safeguard the privacy of website visitors by using the data only for statistical purposes. In these statistics, it is not possible to identify individuals. The data are kept for as long as they are necessary for the purposes mentioned above.

Personal data collected for analysis and marketing purposes are processed on the basis of our consent (GDPR Article 6(1)(a). The information is processed until you withdraw your consent, which can be done by using the icon on the websites. See details about the consent given on the websites.

3 PROCESSING BASED ON CONSENT

If we process personal data on the basis of your consent, see above, you can withdraw your consent at any time without affecting the lawfulness of processing based on consent prior to withdrawal. Contact us if you wish to withdraw your consent. Note that if you withdraw your consent, we may still process all or parts of the data if there is another basis for the processing.

4 RETENTION AND STORAGE (DELETION) OF PERSONAL DATA

We retain personal data for as long as is necessary for the purpose for which the data were collected, and then delete them in accordance with legal requirements. How long we keep personal data varies based on how the data were collected and the purpose for which they were collected.

When we delete the data is stated above where the individual processing activities are described, or the retention period is based on the following criteria:

• Whether we have a legal or contractual need to retain the data, for instance, if claims may be brought against us
• Whether the data are necessary for our business
• Where the processing basis is consent, when the consent is withdrawn.

When we no longer have an ongoing legitimate need to process your personal data, they are deleted or anonymized as quickly as possible in accordance with applicable law.

Instead of deleting personal data, it may in some cases be relevant to anonymize them. Anonymization means that all identifying or potentially identifying characteristics are removed from the data sets that are kept.

This means, for example, that personal data we process on the basis of your consent are deleted if you withdraw your consent. Personal data we process in order to fulfill a contract with you are deleted when the contract is fulfilled and all obligations arising from the contractual relationship are met, such as legal obligations related to accounting, follow-up of the customer relationship in connection with complaints, etc. Personal data we process as a result of a legal obligation are deleted as soon as we are no longer required to keep the data.

5 TRANSFER OR DISCLOSURE OF PERSONAL DATA TO OTHERS

We do not disclose personal data to others in other cases than those mentioned in this statement and unless there is a legal basis for this. Examples of such a basis could typically be an agreement with or consent from the data subject, or a legal obligation that requires us to provide the information. The latter applies to public authorities, such as tax authorities (if necessary), accounting/auditors, and others we need in our business, such as banks.

We use data processors to collect, store, or otherwise process personal data on our behalf. In such cases, we have entered into agreements to protect your rights and the security of your personal data at all stages of the processing.

If it is required by law or if there is suspicion that a criminal offense has been committed in connection with the use of our services, personal data we have stored about you could be disclosed to public authorities, such as the police, for investigation purposes.

If personal data are to be transferred to another organization in connection with a merger, financing, reorganization, or dissolution transaction of our entire company or part of it, we will only do so if the involved parties have entered into an agreement in which the collection, use, and sharing of personal data is limited to the purposes relating to the transaction, including a provision on whether the transaction should proceed or not, and the personal data shall only be used by the involved parties to carry out and complete the transaction. If another company purchases us or our business or assets, that company will have access to the personal data collected by us and will assume the rights and obligations regarding your personal data as described in this privacy statement.

6 TRANSFER OF PERSONAL DATA TO RECIPIENTS IN COUNTRIES OUTSIDE THE EEA

Our aim is that all processing of personal data should take place within the EEA, but it may happen that we use suppliers or process personal data outside the EEA. In such cases, the transfer and processing outside the EEA ("third countries") will only take place in countries approved by the European Commission or in accordance with a valid legal basis for the transfer of personal data under Chapter V of the GDPR. If the transfer does not take place to a country approved by the European Commission, it will only occur under the safeguards set out in GDPR Article 46(2). You can find out which basis has been used for the transfer by contacting us.

7 SECURITY OF PROCESSING

We place great importance on the security of personal data in our business and will implement all required technical and organizational measures to protect your personal data.

We handle information so that it is correct, available, and treated according to its degree of sensitivity. We also use a variety of security technologies and information security procedures to protect personal data from unauthorized access, use, or disclosure. We carry out risk assessments in relation to the processing of personal data.

We have entered into data processor agreements with all our suppliers who process personal data, in which they undertake the same degree of security that we have for our processing of personal data.

We restrict access to personal data to the staff or third parties who need to process the data on our behalf. These parties are subject to a duty of confidentiality.

There are procedures in place for handling breaches of information security and privacy breaches. If a breach occurs that involves a risk to the privacy of the personal data concerned, we will send a report of the incident to the Norwegian Data Protection Authority (Datatilsynet) as soon as possible and at the latest within 72 hours after the breach was discovered. If the breach is likely to result in a high risk to the privacy of the affected individuals, we will also notify them.

8 YOUR RIGHTS WHEN WE PROCESS PERSONAL DATA ABOUT YOU

Below are your rights regarding the processing of personal data. To exercise your rights, you must contact us, see the contact information above, or otherwise if it follows below.

We will respond to your inquiry as quickly as possible, and at the latest within one month. If it takes longer than one month, you will be notified.

We may ask you to confirm your identity or to provide additional information before we allow you to exercise your rights against us. We do this to ensure that we only grant access to your personal data to you – and not to someone who claims to be you.

8.1 Information

You have the right to receive information about the personal data we process about you. Through this statement, we inform you about our processing of personal data. You can also contact us if you want more information.

If we have disclosed data to others, we have a duty to inform the recipient of the requirement for correcting or deleting personal data, see point 10.3 below, or restrictions on processing, see point 10.5 below, if such informing is not impossible or does not require a disproportionately large effort. We are obliged to inform you about such disclosure if you ask for it.

8.2 Access

You have the right to request access to the personal data processed about you. Please contact us if you wish to access such data. If you have a registered account, you may be able to handle some of the data you have provided through your account, unless the data have been deleted, see above.

If you request it, you will also receive a copy of the personal data we process about you. We may ask you to specify which data you want a copy of to make it easier for us to provide it. When providing a copy of your personal data, we may require you to identify yourself, so we can ensure that we are not disclosing personal data to unauthorized persons. The information about you will be transmitted in digital form unless you request otherwise.

8.3 Changes and deletion

You can also ask us to correct any incorrect information we have about you or to delete personal data. We will meet a request to delete personal data as far as possible, but we may not be able to do this if we still need the data.

8.4 Processing on the basis of consent

If we process personal data based on your consent, you may withdraw that consent at any time. The easiest way to do this is to use the method indicated when you gave your consent or contact us.

8.5 Right to restrict or object to processing

You can request that our processing of your personal data be restricted in certain cases, if the conditions for this are met. If the processing is restricted, the personal data will only be stored. See more in GDPR Article 21.

Where our processing is based on legitimate interests, you have the right to object to the processing of your personal data. If you object, we will stop the relevant processing unless there are compelling legitimate grounds for continuing it.

You can also reserve the right to object to the processing of personal data concerning you for marketing purposes, including profiling insofar as it is related to direct marketing, see GDPR Article 22(2).

8.6 The right to data portability

For the data you have provided to us that is necessary to carry out an agreement with us, and which is processed automatically (i.e., not manually by us), you can request that the personal data about you be released or transferred to another provider in a structured, commonly used, and machine-readable format (data portability).

8.7 Automated processing, including profiling

There will be no automated processing, including profiling, based on your personal data that produces legal effects or significantly affects you in a similar way. See GDPR Article 22(1) and (4).

8.8 Right to be notified

If a data breach occurs, i.e., a breach of the security of personal data that is likely to result in a high risk to your privacy, we will notify you without undue delay.

9 COMPLAINTS

We use the Norwegian Data Protection Authority (Datatilsynet) as the leading supervisory authority for cross-border processing under GDPR Article 56.

If you believe that our processing of personal data is not in line with what we have described here or that we are otherwise violating data protection legislation, you can file a complaint with Datatilsynet. However, we kindly ask you to contact us first, so we can fix any improper processing as quickly as possible.

You can find information about your rights and how to contact Datatilsynet on the Datatilsynet website: www.datatilsynet.no.

10 CHANGES

If there is a change in our processing of personal data or changes in the regulations on the processing of personal data, this may lead to changes in the information you have been given here. If there are changes that directly concern you and have significance for your privacy, we may contact you if we have your contact details. Otherwise, you will always find the updated version of this privacy statement on our website.