Onitio
Scenic nature view with a horizon, capturing the beauty of the landscape and the vastness of the surroundings.

Privacy statement

1 Data Controller

This privacy policy explains how we collect and process personal data in our business. ONITIO NORGE AS, represented by the managing director, is the data controller for the processing of personal data.

Our contact information is as follows:
ONITIO NORGE AS
Business Address: KRISTIANSAND S, Skibåsen 33H, Norway, 4636
Organization Number: 938751943
Email Address: contact@onitio.com

We take your privacy seriously and have implemented several measures to ensure that we provide you with clear information about how we process your data and what rights you have. If you find anything unclear or missing, please do not hesitate to contact us.


2 Your Rights

Please feel free to reach out to us if you have any questions about or wish to exercise any of your rights. You can expect to receive a response within 30 days. For more information, please refer to the Data Inspectorate's website.

  • Access to and Rectification of Your Data: You can request a copy of all the information we process about you and ask us to correct any inaccurate information.
  • Deletion or Restriction: In some situations, you can request us to delete and/or restrict the processing of your information, but we cannot delete data that we are legally obligated to process.
  • Object to Processing: If we process your information based on legitimate interests, you have the right to object to it.
  • Data Portability: If we process your information based on consent or a contract, you can ask us to transfer your data to you or another data controller.
  • You also have the right to withdraw your consent at any time.
  • If you are not satisfied with how your data is being handled, you can file a complaint with the Data Inspectorate. However, we hope that you will reach out to us first so that we can try to resolve the issue for you in a satisfactory manner.


3 Who We Process Personal Data About

We process personal data about:

  • Contacts and IT users at customers
  • Contact at potential customers
  • Contacts at suppliers and partners
  • Website visitors
  • Job applicants
  • Employees
  • Former employees

4 How We Collect Personal Data

Providing us with personal data is voluntary, but in order to complete a transaction, we do require a variety of information from you.

We process personal data when you:

  • Purchase our products/services
  • Contact us via phone, SMS, our website, email, or social media
  • Subscribe to our newsletter
  • Register for events hosted by us
  • Respond to a survey
  • Use our website
  • Apply for a job with us or work for us
  • Are a supplier or partner of ours

We also use cookies and other tracking technologies when you visit Onitio's websites, use our applications/services, and communicate with us via email to enhance your experience with Onitio, our products, and our websites. Please refer to our cookie policy for further information on this.


5 Purpose, Legal Basis, and Storage

In accordance with the General Data Protection Regulation Article 6(1), personal data can be processed based on:

  • Your consent
  • A contract we have entered
  • A legal obligation we have
  • To protect the vital interests of the data subject or another natural person
  • To perform a task carried out in the public interest or in the exercise of official authority
  • A legitimate interest we believe we have

As a rule, personal data should not be processed and retained longer than necessary to fulfill the purpose of the processing. If we process your personal data based on a legitimate interest that we believe we have, you can object to the processing by contacting us. We will then assess your objection and provide you with a prompt response.

To comply with this, we conduct annual GDPR reviews in which we formally assess and review our privacy work. The purpose is to amend, update, and if necessary, delete personal data.

We retain data for as long as we are legally obligated to do so under applicable legal obligations, such as accounting, tax, or employment laws, and/or other relevant rules and regulations. You can contact us at any time if you wish for us to cease processing or delete your personal data, but please note that we cannot delete personal data that we are legally obligated to process.

We have procedures in place to ensure that personal data is deleted from all relevant systems when we no longer have a purpose and/or a legal basis to continue processing them.

Accounting records are retained for up to 5 years in accordance with the rules of the Accounting Act.


6 How We Process Personal Data

Here, we provide detailed information about when and how we process your personal data, for what purposes, on what legal basis, and for how long. We process personal data when:

You communicate with us

When you provide us with your business card or contact us through our website (contact forms, comment sections, chat, or similar), via email, over the phone (calls, text messages), or through social media, we process personal data. Depending on where and how you reach out to us, this may include your name, contact information, IP address, and any other information you choose to provide.

The purpose is to respond to your inquiries, maintain a record of communication, and have documentation in case we receive complaints, claims, or legal demands.

The legal basis can be:

• Your consent.
• A contract we have entered.
• A legitimate interest we believe we have, where the legitimate interest is the ability to respond to your inquiries, maintain a record of communication, and have documentation in case we receive complaints, claims, or legal demands.

We review, archive, and delete communications as needed but no less frequently than once a year.

You purchase our products and services

When you buy products and services from us, we process personal data such as your name, contact information, order and payment details, and purchase history.

The purpose is to deliver products and services to you based on your order/purchase, maintain a history of sold products and services, and otherwise manage and follow up on our customer relationship with you.

The legal basis can be:

  • Your consent.
  • A contract we have entered.
  • A legitimate interest we believe we have, where the legitimate interest is to respond to your inquiries, maintain a record of communication, and have documentation in case we receive complaints, claims, or legal demands.

Marketing in Existing Customer Relationships

When you become a customer with us, we process the personal data as mentioned above. If you have an existing customer relationship with us, we may send you marketing materials via email in accordance with the Marketing Act § 15. The legal basis for this will be a legitimate interest but may also be based on your consent.

The purpose of the marketing is to provide excellent customer service.

You can unsubscribe from marketing emails at any time. Information on how to unsubscribe will be provided in all marketing-related emails.

The information is processed as long as the customer relationship exists or until you opt out of the marketing list.

You Apply for a Job or Work for Us

When you apply for a job with us, we process personal data such as your name, contact information, CV, and other information we need to assess your application.

The legal basis can be:

  • Your consent.
  • A contract we have entered.
  • A legitimate interest we believe we have.

The legal basis may vary depending on where we are in the recruitment process and the type of position in question.

The information is deleted after a candidate is selected for the job, unless you have consented to us keeping your information for a longer period in case you wish to apply for a job at a later date. In this case, the consent will be renewed annually.

For employees, we process the personal data as mentioned above, in addition to information necessary for payroll processing and overall employment administration.

The legal basis can be:

  • Your consent.
  • A contract we have entered.
  • A legitimate interest we believe we have.

Most employee information is processed in accordance with the employment agreement and is typically deleted when the employment relationship ends, unless specific reasons (such as disputes over termination or dismissal) require them to be retained for a longer period.

You Register for an Event

When you participate in our free events, we process personal data such as your name and contact information. For paid events, we also collect order and payment information. The purpose is to provide relevant courses, lectures, and workshops, or to fulfill agreements for booked events.

The legal basis can be:

  • Your consent.
  • A contract we have entered.
  • A legitimate interest we believe we have.

We may also use your personal data to send you a survey about the event you attended and potentially invite you to other similar events. The legal basis, in this case, is a legitimate interest, where the legitimate interest is to continually improve our products and services and provide you with good customer support.

The retention period for this information depends on the type of event, but it is typically deleted no later than 12 months after the event.

You Respond to a Survey

We always inform you about the purpose of the surveys we conduct and whether they are anonymous or not. We do not share the information with others or use it for purposes other than what we have stated. In the case of anonymous surveys, we do not collect personal data.

The legal basis for non-anonymous surveys can be:

  • Your consent.
  • A contract we have entered.
  • A legitimate interest we believe we have.

You Are a Supplier or Collaborator with Us

When you enter into an agreement with us as a supplier, collaborator, or data processor, we process personal data such as your name, contact information, and correspondence.

The purpose is to establish an agreement with you, and the legal basis can be:

  • A contract we have entered.
  • A legitimate interest we believe we have.

The information is retained for as long as we have an ongoing relationship. We process personal data related to general correspondence and communication as described above.

You Use Our Website

When you use our website, we process personal data in accordance with our cookie policy. The purpose is to manage our website, promote the company, and respond to inquiries from visitors. The legal basis for cookies that store or process information falling under the Electronic Communications Act § 2-7b is consent through a browser setting, following the recommendations of the Norwegian Communications Authority (Nkom), as described here.


7 Who We Share Personal Data With

In order to operate our business efficiently and securely, we sometimes need to share your personal data with parties such as:

  • Data processors: providers of various services who process your personal data on our behalf.
  • Professional advisors from industries such as law, finance, accounting, auditing, and insurance.
  • User support for IT and administrative systems.
  • Public authorities to whom we are obligated to report.

We require that all entities with whom we share your personal data ensure the security of your data in accordance with good information security practices and the requirements of the General Data Protection Regulation. We enter into data processing agreements with all those who process data on our behalf and, as needed, require confidentiality agreements.

*We use data processors for:

  • Email, calendar, and digital meetings.
  • Surveys.
  • Accounting, financial management, and invoicing.
  • Electronic signatures.
  • Cloud storage.
  • Newsletters.

For security reasons, we have not specified these by name, but please feel free to contact us if you would like to know more.


8 Security

We take information security seriously, and we will always do our utmost to safeguard your personal data in the best possible way. We implement various security measures, including:

  • Strong passwords.
  • Data encryption.
  • Access controls.
  • Regular backups.
  • Multi-factor authentication.

These measures are in place to protect our data and prevent unauthorized access to view, modify, delete, or in any way affect the data we store, including your personal information.

We only use reputable providers of IT and administrative services such as web hosting, website and PC security, antivirus software, email services, backup, and more. We only allow others to access and/or process your personal data in accordance with our instructions and only when strictly necessary (e.g., for IT support).

We have established procedures for handling data security breaches, and in the event of a breach, we will report it to the Data Inspectorate within 72 hours of discovering the breach. If the breach poses a high risk to data privacy, we will also notify the affected data subjects.

This privacy statement was last updated on: 27.11.2023.