Legal

Privacy Policy

Last updated: April 14, 2026

1. Data Controller

Driftdok is the data controller for personal data collected via driftdok.no:

Driftdok
Org. no. 937 502 885
Sleiverudåsen 90
1354 Bærums Verk
Norway
post@driftdok.no

We have not appointed a Data Protection Officer (DPO), as this is not required under GDPR Art. 37. For privacy inquiries, contact us at the email address above.

2. What Data We Collect

We collect the following information in connection with orders:

  • Email address — to deliver documents, receipts and download links
  • Company name and organisation number — to generate customised documents and invoices
  • Municipality — to tailor documents to the correct municipality
  • Invoice address (only for invoice payments) — to issue a valid invoice via Fiken
  • Logo (optional) — to brand documents with your logo
  • Payment information — processed by Stripe and never stored by us
  • IP address and timestamp — on marketing consent and right-of-withdrawal waiver, as proof of consent (GDPR Art. 7(1))

When using the contact form, we collect your name, email address, and message content.

3. Purpose and Legal Basis

We process your data for the following purposes:

  • Performance of contract (GDPR Art. 6(1)(b)) — to generate and deliver the document package you ordered, and send receipts/invoices
  • Legal obligation (GDPR Art. 6(1)(c)) — to comply with Norwegian Bookkeeping Act § 13 requirements for 5-year transaction data retention
  • Consent (GDPR Art. 6(1)(a)) — to send newsletters and marketing via MailerLite, if you ticked the marketing box at checkout. You may withdraw consent at any time via the unsubscribe link in any email, or by contacting us
  • Legitimate interest (GDPR Art. 6(1)(f)) — to respond to contact-form inquiries, prevent fraud, and ensure operational stability (rate limiting, logs)

Marketing consent is requested separately from the purchase and is not required to complete the order. Consent is stored with a timestamp and IP address as documentation under GDPR Art. 7(1).

4. Data Retention

Order data (email, company name, organisation number, municipality) and generated documents are stored for 5 years after purchase. This complies with the Norwegian Bookkeeping Act (Bokføringsloven § 13) which requires 5 years of accounting data retention.

During this period you can re-download your documents at any time via the download page.

Invoice data at Fiken is retained under the same requirement. Contact-form submissions are deleted no later than 12 months after the last correspondence. Marketing consent records are kept for as long as you remain a subscriber + 36 months (to document consent in case of a complaint), and then deleted.

After the retention period expires, data is deleted unless another legal basis for continued storage exists.

5. Your Rights

Under the GDPR you have the right to:

  • Access (Art. 15) — request a copy of the data we hold about you
  • Rectification (Art. 16) — request correction of inaccurate data
  • Erasure (Art. 17) — request deletion of your data, subject to statutory retention requirements
  • Restriction (Art. 18) — request restriction of processing while a dispute is resolved
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Object (Art. 21) — object to processing based on legitimate interest, and always object to direct marketing
  • Withdraw consent (Art. 7(3)) — withdraw marketing consent at any time, without affecting the lawfulness of prior processing

Note: We cannot delete transaction data before the statutory 5-year retention period has expired. However, we can immediately delete data not subject to the Bookkeeping Act (e.g. logos, contact-form submissions, marketing consent) upon request. Requests are processed within 30 days.

6. Sub-processors and Third Parties

We use the following sub-processors to deliver our service. All are bound by data processing agreements ensuring GDPR compliance:

  • Stripe Payments Europe, Ltd. (Ireland) — card payment processing
  • Fiken AS (Norway) — accounting and invoice issuance
  • Supabase Inc. (EU region / Frankfurt) — database and authentication
  • Vercel Inc. (USA, EU-US Data Privacy Framework) — hosting, file storage (Blob) and CDN
  • Resend Inc. (USA, EU-US Data Privacy Framework) — transactional email (receipts, download links)
  • MailerLite Ltd. (Ireland) — newsletter and marketing (consent-gated)
  • Google LLC (USA, EU-US Data Privacy Framework) — Tag Manager, Analytics and Consent Mode v2 (consent-gated)
  • Meta Platforms Ireland Ltd. (Ireland) — Meta Pixel (consent-gated)

Transfers to third countries outside the EEA are either to recipients covered by the EU-US Data Privacy Framework, or based on the EU Standard Contractual Clauses (SCCs) with supplementary measures.

7. Information Security

We take security seriously. All communication is encrypted with TLS/HTTPS. Payment data is handled exclusively by Stripe and is never stored by us. Database access is restricted with role-based access control, and download links are bound to unique, time-limited tokens. Uploaded logos are stored privately and are only accessible via signed URLs. Rate-limiting and webhook signature verification are used to prevent abuse.

8. Cookies

Driftdok uses technically necessary cookies required for the site to function (e.g. Stripe payment sessions). These do not require consent.

We also use Google Tag Manager to manage the following services, which are only activated after your explicit consent (Google Consent Mode v2):

  • Google Analytics — to understand how visitors use the site
  • Meta Pixel — to measure the effectiveness of marketing on Facebook and Instagram
  • Vercel Analytics — to monitor site performance and usage patterns

A consent banner is shown on your first visit. You can change your choice at any time by clicking the cookie icon in the bottom-left corner of the screen.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) if you believe your personal data is being processed in violation of the GDPR or Norwegian data protection law:

Datatilsynet
Postboks 458 Sentrum
0105 Oslo
Norway
Phone: +47 22 39 69 00
datatilsynet.no

10. Contact

For privacy inquiries or to exercise your rights, contact us at post@driftdok.no.