Privacy Policy for Nordlys Atelier

Effective date: 17 April 2026

1. Introduction and company information

This Privacy Policy explains how Nordlys Atelier collects, uses, stores, shares, and protects personal data when you visit our studio, contact us, book services, purchase artwork or related products, subscribe to communications, or otherwise interact with us.

Nordlys Atelier acts as the data controller for the processing of personal data described in this Privacy Policy.

Company name: Nordlys Atelier
Address: Thorvald Meyers gate 63, 0552 Oslo, Norway
Email: [email protected]
Phone: +47 22 48 73 19

This Privacy Policy is intended to provide information in a clear and transparent manner and should be read together with any applicable terms, booking conditions, or consent notices provided by Nordlys Atelier.

2. Data collection and processing

We may collect and process the following categories of personal data:

• Identification and contact data: name, email address, phone number, postal address, and similar contact details.
• Communication data: messages, inquiries, feedback, and correspondence with us.
• Booking and transaction data: appointment details, order history, payment status, invoices, and delivery information.
• Customer and service data: preferences, commissioned work details, project specifications, and information relevant to art-studio services.
• Technical data: IP address, browser type, device information, log data, and website usage information, where applicable.
• Marketing data: subscription preferences, consent records, and interaction with newsletters or promotional messages.
• Image and media data: photographs or recordings taken with your consent, for example in connection with studio events, workshops, exhibitions, or commissioned work.

We generally collect personal data directly from you. In some cases, we may also receive data from third parties such as payment providers, delivery partners, booking platforms, or publicly available sources, where permitted by law.

We do not intentionally collect sensitive personal data unless it is necessary and lawful to do so, and only where appropriate safeguards are in place.

3. Purpose of data processing

Nordlys Atelier processes personal data for the following purposes:

• to respond to inquiries and communicate with you;
• to manage bookings, appointments, workshops, studio visits, and related services;
• to process orders, payments, invoices, and deliveries;
• to provide commissioned art services and fulfill contractual obligations;
• to maintain customer records and service history;
• to send newsletters, updates, invitations, or marketing communications where permitted;
• to improve our services, website, and customer experience;
• to comply with legal obligations, including accounting, tax, and record-keeping requirements;
• to protect our rights, property, and safety, and to prevent fraud or misuse;
• to document studio activities, exhibitions, and events, where lawful and appropriate.

4. Legal basis for processing

We process personal data only when we have a valid legal basis. Depending on the context, the legal basis may include:

• Performance of a contract: when processing is necessary to provide services, fulfill orders, or manage bookings and commissions.
• Legal obligation: when we must process data to comply with applicable laws, including accounting and tax obligations.
• Legitimate interests: when processing is necessary for our legitimate business interests, such as managing customer relationships, improving services, securing our systems, and maintaining studio operations, provided that your interests and fundamental rights do not override those interests.
• Consent: when you have given us clear consent, for example for marketing emails, certain cookies or tracking tools, or the use of images or recordings in specific contexts.

Where we rely on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.

5. Data sharing and third parties

We may share personal data with third parties only when necessary and appropriate for the purposes described in this Privacy Policy. These third parties may include:

• Payment service providers for processing payments and refunds;
• Accounting, audit, and legal advisors for compliance and professional support;
• IT and hosting providers for website hosting, email services, data storage, and security;
• Booking and customer management platforms used to manage appointments and client communications;
• Delivery and logistics providers for shipping artwork or products;
• Marketing service providers for newsletters and communications, where applicable;
• Public authorities when required by law or to protect legal rights.

We require third parties that process personal data on our behalf to handle it securely, confidentially, and in accordance with applicable data protection laws.

We do not sell personal data.

6. Data transfer to third countries

Some of our service providers may be located outside Norway or the European Economic Area (EEA). If personal data is transferred to a country outside the EEA, Nordlys Atelier will ensure that appropriate safeguards are in place, such as:

• an adequacy decision by the relevant authority;
• standard contractual clauses or equivalent transfer mechanisms;
• additional technical and organizational safeguards where necessary.

Where required, you may request more information about such transfers and the safeguards used by contacting us using the details below.

7. Storage duration

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The retention period depends on the type of data and the context of processing.

• Customer and contract data: retained for the duration of the customer relationship and for a reasonable period thereafter.
• Accounting and tax records: retained for the period required by applicable law.
• Marketing data: retained until you withdraw consent or unsubscribe, unless a longer retention period is required or permitted by law.
• Inquiry and correspondence data: retained as long as necessary to handle your request and for follow-up purposes.
• Technical logs and security data: retained for a limited period unless needed for investigations, security, or legal claims.

When personal data is no longer needed, we will delete, anonymize, or securely archive it in accordance with applicable requirements.

8. User rights

Subject to applicable law, you may have the following rights regarding your personal data:

• Access: you may request confirmation of whether we process your personal data and obtain a copy of that data.
• Rectification: you may request correction of inaccurate or incomplete personal data.
• Erasure: you may request deletion of your personal data in certain circumstances.
• Restriction: you may request that we limit the processing of your personal data in certain cases.
• Data portability: you may request to receive certain data in a structured, commonly used, machine-readable format and, where technically feasible, request transfer to another controller.
• Objection: you may object to processing based on legitimate interests, and you may object at any time to direct marketing.

To exercise your rights, please contact us using the details in Section 12. We may need to verify your identity before responding. We will respond within the time limits required by applicable law.

9. Withdrawal of consent

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

You can withdraw consent by contacting Nordlys Atelier at [email protected] or by using any unsubscribe mechanism provided in our communications.

10. Right to complain

If you believe that our processing of your personal data violates applicable privacy laws, you have the right to lodge a complaint with the competent supervisory authority.

In Norway, this is typically the Norwegian Data Protection Authority (Datatilsynet). We encourage you to contact us first so that we can try to resolve your concern directly.

11. Data security

Nordlys Atelier implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include:

• access controls and role-based permissions;
• secure storage and encryption where appropriate;
• regular updates and security maintenance of systems;
• confidentiality obligations for personnel and contractors;
• backup and recovery procedures;
• procedures for handling suspected data incidents.

While we take reasonable steps to protect personal data, no method of transmission or storage is completely secure. We therefore cannot guarantee absolute security.

12. Contact information

If you have questions about this Privacy Policy or wish to exercise your rights, please contact:

Nordlys Atelier
Thorvald Meyers gate 63, 0552 Oslo, Norway
Email: [email protected]
Phone: +47 22 48 73 19

13. Changes to privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. The updated version will be published with a revised effective date.

If changes are material, we may provide additional notice where appropriate. We encourage you to review this Privacy Policy periodically to stay informed about how Nordlys Atelier processes personal data.