Privacy Policy

1. Data Controller

The data controller responsible for the personal data processed through this website is:

As data controller, we determine the purposes and means by which your personal data is processed. Where we engage third-party processors, we ensure appropriate data processing agreements are in place in accordance with Article 28 of the GDPR.

2. Data We Collect

We collect personal data only to the extent necessary for the purposes described in this policy. The categories of data we may collect include:

2.1 Data You Provide Directly

• Contact form submissions: When you use our contact form, we collect your name, email address, and the content of your message. You also provide a record of your consent to our privacy policy.
• Program enquiries: If you enquire about a specific program, we may collect additional details you include in your message, such as your preferred format or availability.
• Workshop participation: If you enroll in a workshop, we may collect your name, contact details, and administrative information required to manage your participation.

2.2 Data Collected Automatically

• Technical data: IP address, browser type, device type, operating system, and referring URL, collected automatically when you visit our website. This data is used for security and operational purposes.
• Usage data: Pages visited, time spent on pages, and navigation patterns, collected when you have consented to analytics cookies.
• Cookie data: Data collected through cookies in accordance with your cookie consent preferences. See our Cookie Policy for full details.

2.3 Special Categories of Data

We do not intentionally collect special category data (as defined in Article 9 of the GDPR), including health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data. Our programs are educational in nature and do not involve clinical assessment or the collection of health records. Please do not include sensitive health information in your messages to us.

3. Purpose and Legal Basis for Processing

We process your personal data only where we have a lawful basis to do so under Article 6 of the GDPR. The following table describes our processing activities:

3.1 Responding to Enquiries

Legal basis: Contract (Article 6(1)(b)) — where your enquiry relates to a service we provide; and Legitimate Interests (Article 6(1)(f)) — where we have a genuine interest in responding to general questions about our work.

3.2 Program Administration

Legal basis: Contract (Article 6(1)(b)) — processing necessary to administer your participation in a workshop or program.

3.3 Website Analytics

Legal basis: Consent (Article 6(1)(a)) — collected via cookie consent. You can withdraw this consent at any time using our Cookie Settings tool.

3.4 Legal Compliance

Legal basis: Legal obligation (Article 6(1)(c)) — where we are required by law to retain or disclose certain data.

3.5 Security and Fraud Prevention

Legal basis: Legitimate Interests (Article 6(1)(f)) — we have a legitimate interest in maintaining the security and integrity of our systems and services.

4. Data Retention

We retain personal data only for as long as is necessary for the purpose for which it was collected, and in accordance with applicable legal obligations.

• Contact form data: Retained for up to 24 months from the date of submission, unless you request earlier deletion or unless an ongoing relationship (such as a workshop enrollment) necessitates longer retention.
• Workshop participation records: Retained for up to 5 years from the date of participation, in accordance with standard Norwegian administrative and accounting requirements.
• Analytics data: Retained in aggregated, anonymised form for up to 26 months, in accordance with standard analytics platform data retention settings. Where raw session data is collected, it is typically retained for no more than 14 months.
• Technical log data: Retained for up to 90 days for security and operational purposes.
• Cookie consent records: Retained for up to 12 months to demonstrate compliance with our consent obligations.

When data is no longer needed, it is securely deleted or anonymised so that it can no longer be attributed to an individual.

5. Data Sharing and International Transfers

We do not sell, rent, or trade your personal data. We may share your data in the following limited circumstances:

5.1 Service Providers

We may engage trusted third-party service providers to support our operations, including hosting providers, email delivery services, and analytics platforms. These providers act as data processors on our behalf and are bound by data processing agreements. They may only process your data as instructed by us and not for their own purposes.

5.2 Legal Requirements

We may disclose personal data where required to do so by law, court order, or other legal process, including to Norwegian public authorities where required by applicable legislation.

5.3 Business Continuity

In the event of a merger, acquisition, or reorganisation of our business, personal data held by us may be transferred to a successor entity. We will notify affected individuals in advance where required by law.

5.4 International Transfers

Where any of our service providers operate outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place for the transfer of personal data, including standard contractual clauses approved by the European Commission, or other mechanisms permitted under Chapter V of the GDPR.

6. Security Measures

We take the protection of your personal data seriously and implement appropriate technical and organisational measures to safeguard it against unauthorised access, loss, destruction, or disclosure. These measures include:

• All data transmitted between your browser and our website is encrypted using HTTPS (TLS).
• Access to personal data is restricted to authorised personnel on a need-to-know basis.
• Staff with access to personal data are trained in data protection principles.
• Our website and data systems are regularly reviewed for security vulnerabilities.
• Third-party processors are assessed for their security practices prior to engagement.

While we take all reasonable steps to protect your data, no transmission over the internet or electronic storage system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with Article 33 and 34 of the GDPR.

7. Your Rights

As a data subject under the GDPR, you have the following rights with respect to your personal data:

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed.
• Right to rectification (Article 16): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to erasure (Article 17): In certain circumstances, you have the right to request that we delete your personal data. This right may be limited where we have a legal obligation to retain data.
• Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your data in certain circumstances, for example while a dispute about accuracy is resolved.
• Right to data portability (Article 20): Where processing is based on consent or contract, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests, including direct marketing. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent: Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing prior to withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no if you believe we have processed your personal data unlawfully.

To exercise any of these rights, please contact us at the details provided in Section 1 of this policy. We will respond to all requests within 30 days. In complex cases, we may extend this period by a further two months, in which case we will notify you within the initial 30 days.

8. Cookies

Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device to enable certain website functions. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain until deleted or expired).

You can manage your cookie preferences at any time using the Cookie Settings option on our site. For full information about the cookies we use, their purpose, and how to manage them, please refer to our Cookie Policy.

9. Minors

Our website and programs are designed for adults aged 18 and over. We do not knowingly collect personal data from individuals under the age of 16. If you believe that a minor has provided us with personal data, please contact us immediately so that we can take appropriate steps to delete the data.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make significant changes, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically to stay informed about how we are protecting your data. Continued use of our website following any changes constitutes your acknowledgement of the revised policy.

11. Contact

If you have any questions, concerns, or requests relating to this Privacy Policy or the way we handle your personal data, please contact us:

You also have the right to contact the Norwegian Data Protection Authority (Datatilsynet) directly if you are not satisfied with our response to your request.